The Information Regulator of South Africa on Friday said it was not satisfied with TransUnion’s response to the hacking incident in which data belonging to millions of individuals was unlawfully accessed by hackers.
Hackers gained access to millions of South Africans’ ID numbers, banking details, and credit scores.
Last week Brazilian hackers N4aughtysecTU claimed responsibility and demanded a ransom in bitcoin, which Transunion said it had refused to pay.
The Information Regulator had given Transunion until Tuesday, this week, to report to it on: the date that the security compromise occurred, the cause of the security compromise, details of investigations into the security compromise, the extent, and materiality of the security compromise, interim measures put in place to prevent a recurrence of the security compromise.
However, on Friday the Information Regulator said: “The notification that TransUnion submitted is inadequate, unsatisfactory and falls short of what is required by the Protection of Personal Information Act”.
The Information Regulator said the notification “does not provide sufficient details nor remedy to the millions of data subjects, people about whom the personal information relates, whose personal information has been compromised by the TransUnion security compromise”.
The Information Regulator said the notification submitted by Transunion omits critical information that provides assurance on how the matter is managed.
“The report neither provides detail on how the credit bureau will mitigate the subsequent risks nor information on how the credit bureau will remedy this crisis,” said the regulator.
“This leaves the regulator extremely concerned regarding the adequacy of safeguards at TransUnion for the protection of personal information as is required in terms of POPIA.
The regulator said it has now further directed TransUnion to provide it with a “detailed description of the possible consequences of the security compromise and its impact on data subjects”.
TransUnion has also been asked to provide details of what advice and recommendations it has on the measures to be taken by the data subjects to mitigate the potential adverse effects of the security compromise.
The regulator said TransUnion must use all radio stations, broadcasting in each official language, publish in all newspapers and drive communication on various social media platforms to provide sufficient notification to data subjects about this security compromise.
The regulator “expressed grave concern about the credit bureau’s approach to ensuring that the affected data subjects’ personal information is protected and that there are no further malicious actions with it by unauthorised persons in possession of the information”.
The regulator said it has also asked TransUnion to provide it with confirmation that a criminal case has been opened.