The Information Regulator of South Africa has given TransUnion credit bureau until Tuesday to submit details regarding the hacking incident that may have compromised the security of personal information of an undisclosed number of people.
TransUnion has confirmed that a criminal third-party unlawfully gained access to its South African server through “misuse of an authorised client’s credentials”.
Hackers are thought to have gained access to millions of South Africans’ ID numbers, banking details, and credit scores.
Reports suggest that N4aughtysecTU claimed responsibility and demanded a ransom in bitcoin. The notorious Brazilian hacker group has reportedly given TransUnion seven day to pay the ransom.
“We have received an extortion demand and it will not be paid,” TransUnion said.
On Saturday the regulator said it was taking into account “the implications for many data subjects that could arise as a result of this incident should notification of the data subjects not be treated as a matter of urgency”.
The regulator seeks to enforce the Protection of Personal Information Act (POPIA) seeks to protect natural and juristic persons from harm by protecting their personal information.
In that regard, the regulator said: “It was agreed that TransUnion will, by Tuesday 22 March 2022, submit to the regulator specific details regarding the number of affected parties and their plan to notify data subjects in terms of Section 22 of POPIA”.
Furthermore, the Regulator has instructed TransUnion to report to it on: the date that the security compromise occurred, the cause of the security compromise, details of investigations into the security compromise, the extent and materiality of the security compromise, interim measures put in place to prevent a recurrence of the security compromise, and security measures that TransUnion Credit Bureau has put in place to prevent a recurrence of the security compromise.
The regulator said this information it is seeking from TransUnion is intended to enable it to assess and institute further investigations.
Meanwhile, the chief executive of the South African Banking Risk Information Centre (SABRIC), Nischal Mewalall said: “SABRIC has already engaged TransUnion South Africa with the aim to coordinate the banking industry’s efforts to secure bank customers’ profiles against abuse.”