| Authority: |
Regulator - SA |
| Jurisdiction: |
South Africa |
| Relevant law: |
Protection of Personal Information Act, 2013 |
| Type: |
Violation |
| Outcome: |
Violation |
| Started: |
March 2022 |
| Decided: |
2024 |
| Published: |
2024 |
| Fine: |
N/A |
| Parties: |
Regulator vs. TransUnion |
| Case No.: |
N/A |
| Appeal: |
N/A |
| Original Source: |
POPIA |
| Original contributor: |
MZIZI Africa |
Contents
- Summary
- Facts
- Holding
- Holding
- Comment
- Further resources
- Decision
Summary
An enforcement notice was issued against TransUnion, a registered credit bureau and a repository of credit information on consumers and businesses (the “Respondent”) after it suffered a breach and personal information stolen.
Facts
In 2022, TransUnion, a registered credit bureau and a repository of credit information on consumers and businesses was hacked by N4ughtySecTU who demanded $15 million (R223 million) ransom over four terabytes of compromised data. After the hack, the group claimed it had accessed several millions personal records of South Africans, including the personal details of president Cyril Ramaphosa.
In March 2022, TransUnion, submitted a section 22 notification indicating that it had suffered a security compromise.
The Regulator then conducted an assessment which found, inter alia, that:
- TransUnion breached the conditions for the lawful processing of personal information by
- Failing to secure the confidentiality of the personal information in its possession or under its control.
- Failing to take appropriate technical and organisational measures to ensure access control is implemented as directed by their own policy and also not having controls to detect this failure.
- Failing to prevent unlawful access to or processing of personal information that enabled unauthorised actors to gain unlawful access through the use of compromised credentials and use of a weak password.
- Failing to implement the safeguards that had been put in place in the form of access management policies and user creation policies.
- Failing to implement the provisions of its own information security policies, which covered the domains recommended to ensure the confidentiality, integrity, and availability of its information processing environment as they relate to:
- User creation – which meant there was a user created outside of approved user creation processes.
- Password complexity - which meant the disregard for the password requirements as set out in their Access Control Policy.
Holding
The Regulator issued an Enforcement Notice against TransUnion, ordering the company to:
- develop and put in place security measures to ensure the integrity and confidentiality of personal information in its possession or under its control to prevent loss of, damage to, unauthorised destruction or unlawful access to, personal information.
- Obtain the services of a qualified auditor/audit firm who will perform an audit on all user accounts against the SFTP user creation policy to determine if the configuration of any further user accounts fall outside the prescripts of the policy.
- Conduct a Personal Information Impact Assessment to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information.
TransUnion was also ordered to submit proof to the Regulator that all the remedial measures in the Enforcement Notice have been implemented by 26 March 2024.