Department of Justice and Constitutional Development - Assessment Report

Authority:	Regulator - SA
Jurisdiction:	South Africa
Relevant law:	Section 19, 22 of Protection of Personal Information Act No. 2 of 2000, as amended
Type:	Violation
Outcome:	Violation
Started:	N/A
Decided:	9 May 2023
Published:	10 May 2023
Fine:	R5million
Parties:	Regulator vs. Department of Justice & Constitutional Development
Case No.:	Department of Justice and Constitutional Development Assessment Report
Appeal:	Yes
Original Source:	PAIA
Original contributor:	MZIZI Africa

Contents

Summary

Enforcement action was taken against the Respondents when their IT systems were infiltrated and compromised by unknown threat actors which rendered the Respondent's systems unavailable to its employees which in turn affected the services rendered to the public.

Facts

This was an own initiative investigation in terms of section 76 (3) of the Protection of Personal Information Act 4 of 2013 (POPIA) by the Regulator against the Department of Justice and (the “Respondent”).

In September 2021 the DoJ&CD suffered a security compromise on its IT systems. There was an unauthorised access by an unknown threat actor that enabled the installation of malicious software in the form of the “Mespinoza Ransomware Virus” onto the computer processing infrastructure of the Respondent that led to the department's systems being unavailable to its employees and subsequently affecting services to the public. The threat actor gained access to approximately one thousand, two hundred and four (1,204) files.

Following the assessment, the Regulator found that the Respondent had failed to put in place adequate technical measures to monitor and detect unauthorised exfiltration of data from their environment. This occurred as a result of the Respondent's failure to renew the following expired licenses in 2020:

The Security Incident and Event Monitoring (SIEM) licence which would have enabled it to monitor unusual activity on their network and keep a backup of the log files. The failure to renew the licence resulted in the unavailability of critical information contained in the log files.
The Intrusion Detection System licence which would have enabled the department to receive alerts of suspicious activity by unauthorised people accessing the network.
The Trend Antivirus licence which resulted in the virus definition for known malware threats not being updated.

The Regulator also found that the Respondent had failed to take reasonable measures to identify or reasonably foreseeable internal and external risks to the protection of personal information in its possession or under its control and establish and maintain appropriate safeguards.

Holding

The Regulator held that the Respondent must submit proof to the Regulator within 31 days of receipt of the Notice that the Trend Anti-Virus licence, the SIEM licence and the Intrusion Detection System licence have been renewed.

<aside> 💡 UPDATE: The Respondent failed to comply with the enforcement notice issued by the regulator on 9 May 2023. On 3 July 2023, the Regulator issued an infringement notice to the Respondent, in which it ordered the Respondent to pay an administrative fine of R5 million. It also required the Respondent to institute disciplinary proceedings against the official/s who failed to renew the licences, which are necessary to safeguard the department against security compromises.

</aside>