Major credit bureau slapped with enforcement notice for data breach in South Africa

pMyBroadbandppThe Information Regulator has slapped credit bureau TransUnion with an enforcement notice following a data breach on 18 March 2022ppN4ugthySecTU the group that claimed responsibility for the attack alleged that they exfiltrated 4TB of data from one of TransUnions databases including the records of 54 million South AfricansppHowever the bureau said far fewer people were impactedppInitially TransUnion stated that at least 3 million of its South African customers details were affected A further 6 million ID numbers were exposed but not linked to other personal informationppTransUnion revised these numbers in June 2022ppOur understanding is that data relating to 5 million consumers was potentially affected by the incident with a further 52 million consumers having had only ID numbers affected with no personal information linked to the ID number it saidppTransUnion refused to pay a 15 million R224 million at the time ransom to prevent the data being leaked onlineppShortly after reports of the breach surfaced the Information Regulator berated TransUnion for its notification not meeting Protection of Personal Information Act requirementsppThe Regulator conducted an assessment which has found among others that TransUnion breached the conditions for the lawful processing of personal informationppIt highlighted the following issuesppAs a result of its findings the Information Regulator has issued an enforcement notice against TransUnionppIt ordered the company to take three remedial stepsppFirstly TransUnion must develop and put in place security measures to ensure the integrity and confidentiality of personal information in its possession or under its controlppThese security measures must prevent loss of damage to unauthorised destruction or unlawful access to personal informationppSecondly it must obtain the services of a qualified auditor to audit all user accounts against its SFTP user creation policyppThe auditor must determine if the configuration of any user accounts still falls outside the prescripts of the policyppFinally TransUnion must conduct a personal information impact assessmentppThis is to ensure adequate measures and standards exist to comply with the conditions for the lawful processing of personal informationppTransUnion has until 26 May 2024 to submit proof that all the remedial measures have been implemented the Information Regulator saidppHeadline N4ugthysecTU TransUnionppComments section policy MyBroadband has a new article comments policy which aims to encourage constructive discussions To get your comments published make sure it is civil and adds value to the discussionppppppWhich is your goto online retailer for tech productsppppView Resultsp