The Africa-wide subsidiary of TransUnion, an American consumer credit reporting agency, has confirmed that it was hacked by self-named ransomware gang N4aughtyTU and was a victim of a data breach. Poor password management controls created internal vulnerabilities which the hacker group exploited by further demanding a ransom of $15 million in order to recover 4TB of personally identifiable data.

"A criminal third party obtained access to a TransUnion South Africa server through misuse of an authorised client’s credentials. Immediately upon discovery of the incident, TransUnion South Africa suspended the client’s access, engaged cybersecurity and forensic experts, and launched an investigation," reads a statement by TransUnion.

More data breaches in South Africa

Although it is alarming, the TransUnion data breach is not the first to affect millions of South Africans.

In 2017 South Africa experienced what was then the largest ever data breach affecting people in South Africa. On 17 October 2017 discovered an SQL database with close to 60 million unique records of people in South Africa. At first, we suspected it was a breach of a credit bureau considering that the data leaked publicly on the web contained credit-related information as well as property and Companies and Intellectual Property information. It turned out that the database was prepared by now-defunct data aggregation company Dracore Data Sciences for one of its real estate agency clients.

On 3 September 2020 we, thanks to a tip-off, discovered a database on a public file sharing website containing the personal information of as many as 24 million South Africans and 793,749 businesses in South Africa. The database belonged to another credit bureau, Experian.

Negatively affects people in South Africa

The company headquartered in South Africa has put a statement also stating that the security incident impacted "an isolated server holding limited data from our South African business." Considering that all companies, banks, and credit consumers in South Africa likely have their records on TransUnion's systems, saying "an isolated server holding limited data" sounds like the credit bureau is trying to downplay the hack which could've likely affected over 50 million South Africans and organizations in South Africa.

According to South Africa's Protection of Personal Information Act (POPIA), once a breach is discovered, all persons affected by the breach must be personally notified of the event. The first breach alarm sounded on 11 March 2022. As of the date of publication, no notification to South African citizens had been issued informing them of the breached data.  

What should happen next

TransUnion is required by law to notify all customers affected by the breach. This notification must be issued as soon as possible so that citizens can increase their vigilance against potential phishing and social engineering attacks.

TransUnion also has operations in Botswana, Kenya, Namibia, Rwanda, Swaziland, Malawi, and Zambia. Though there is no evidence that the breach affected customers outside of South Africa's borders, regulators and security practitioners in these countries should exercise caution in their prevention and incident response mechanisms.

This point, that TransUnion should notify all customers of the data breach, is echoed by the Information Regulator (South Africa) in an interview with Furthermore, the Regulator has told whether or not it takes punitive action, and the type of punitive action it takes will be determined by its ongoing investigation.

Interview with Adv. Collen Weapond

Office of the Information Regulator (South Africa) Has TransUnion officially notified the Regulator of the security incident?

Information Regulator (South Africa): The Regulator has received a notification from TransUnion in terms of section 22(1)(a) of the Protection of Personal Information Act, 4 of 2013 (POPIA).

Given admittance by TransUnion through issuing a public statement, what punitive measures (if any) will the regulator be taking?

The Regulator will first have to engage TransUnion to ascertain the root cause of, and the extent of the security compromise as well as the impact thereof. Furthermore, if the Regulator decides to act, it will have to consider the most appropriate approach to the security compromise, including a pre-investigation in terms of section 79 or an assessment in terms of section 89(1) of POPIA. Parties will have to be informed of the outcome of such an investigation or assessment. The Regulator will also have to decide on the next step based on the outcome of the investigation or assessment.

What is the acceptable method through which TransUnion must notify its customers?

Section 22(4) requires that the notification to a data subject must be made in writing, and be communicated in at least one of the following ways:

  • mailed to the affected data subject, at the last know physical or postal address;
  • sent by e-mail to the to the data subject’s last known e-mail address;
  • placed in a prominent position on the website of the responsible party;
  • published in the news media; or
  • as my [sic] be directed by the Regulator.

Any closing remarks on this incident?

The notification referred to above must, in terms of section 22(5), provide sufficient information to allow the data subject to take proactive measures against the potential consequences of the compromise, including –

  • a description of the possible consequence of the security compromise;
  • a description of the measures that the responsible party intends to take or has taken to address the security compromise;
  • a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
  • if known to the responsible party, the identity of the unauthorized person who may have accessed or acquired the personal information.

— By Bataung Qhotsokoane

Share this via