The Information Regulator in South Africa has taken decisive action against major credit bureau TransUnion in response to a data breach that occurred on 18 March 2022. N4ugthySecTU, the group claiming responsibility for the attack, alleged the exfiltration of 4TB of data from one of TransUnion’s databases, including the records of 54 million South Africans. Although TransUnion initially stated that “at least” 3 million South African customers’ details were impacted, it revised these numbers to reflect that data related to 5 million consumers was potentially affected, with a further 5.2 million having only their ID numbers exposed, not linked to other personal information.
The Information Regulator’s assessment concluded that TransUnion breached the conditions for the lawful processing of personal information, citing various shortcomings in their security measures and access control policies. Consequently, an enforcement notice has been issued against TransUnion, compelling the company to take three remedial steps. Firstly, to develop and implement security measures ensuring the integrity and confidentiality of personal information, prevent unauthorized access, and protect against loss or damage. Secondly, to engage the services of a qualified auditor to review all user accounts against its SFTP user creation policy. Lastly, to conduct a personal information impact assessment to ensure compliance with lawful processing conditions. The Information Regulator has set a deadline of 26 May 2024 for TransUnion to submit proof of the implementation of these remedial measures.
This enforcement notice serves as a reflection of the increasing regulatory scrutiny on data protection and privacy, emphasizing the importance of robust security measures and compliance with data protection regulations. It underscores the significance of proactive and comprehensive approaches to safeguarding personal information, especially in the context of major data breaches, ensuring compliance with stringent regulatory standards. The stringent requirements outlined in the enforcement notice highlight the critical need for organizations to prioritize data security and privacy, reinforcing the accountability and responsibility associated with handling sensitive personal information.
