Information Regulator unhappy with TransUnion’s ‘inadequate’ response to hacking

The credit bureau was asked to provide the regulator with a report after hackers gained access to one of its servers this past weekend. 

The hackers are threatening to make public the personal details belonging to some 50 million people unless a ransom amount of R224 million is paid.

The Information regulator has since asked TransUnion to submit a report explaining the circumstances of the security compromise.

Spokesperson Nomzamo Zondi says the report submitted falls short of what is required by the Protection of Personal Information Act (POPIA).

“The notification does not provide sufficient details nor remedy to the millions of data subjects, people about whom the personal information relates, whose personal information has been compromised by the TransUnion security compromise. It omits critical information that provides assurance on how the matter is managed.

“The report neither provides detail on how the credit bureau will mitigate the subsequent risks nor information on how the credit bureau will remedy this crisis. This leaves the regulator extremely concerned regarding the adequacy of safeguards at TransUnion for the protection of personal information as is required in terms of POPIA.”

Zondi says the regulator will conduct its own assessment.

“Following a careful assessment of the contents of the credit bureau’s security compromise notification, and the extent and severity of the security compromise, the Regulator will conduct an assessment on its own initiative into the appropriateness of TransUnion's security measures on integrity and confidentiality of personal information of data subjects in its possession or under its control.

“The regulator has subsequently written to the credit bureau and expects a response by 1 April 2022.”

ALSO READ