SA's Information Regulator fines justice department over data breach

South Africa's Information Regulator has handed down a landmark fine of 5 million South African rand (US$267,400) to the country's Department of Justice and Constitutional Development (DoJ&CD) for failing to adequately protect personal information connected to a data breach that happened back in 2021.

This is the first major penalty imposed by the Information Regulator which is empowered to monitor and enforce compliance by public and private bodies with the provisions of South Africa's Protection of Personal Information Act (POPIA).

POPIA's official commencement date was July 1, 2020, and South Africans were given a one-year grace period to become compliant by June 30, 2021.

The "administrative fine" was handed down on July 3, 2023, after the DoJ&CD failed to comply with an Enforcement Notice issued by the Regulator in May 2023, which found the department had contravened various sections of POPIA.

Failure to protect personal information

The issue trails back to September 2021, when the DoJ&CD suffered a security breach on its IT systems, reported by Bloomberg at the time as a ransomware attack. This led to the department's systems being unavailable to its employees and subsequently affecting public services.

The Regulator conducted an assessment and found that the department "had failed to put in place adequate technical measures to monitor and detect unauthorized exfiltration of data from their environment resulting in the loss of approximately 1,204 files."

This occurred as a result of the department's failure to renew the Security Incident and Event Monitoring (SIEM) license which would have enabled it to monitor unusual activity on its network and keep a backup of the log files.

The SIEM license expired in 2020 and the Regulator said that the failure to renew the license resulted in the unavailability of critical information contained in the log files.

The DoJ&CD also failed to renew the Intrusion Detection System license, which had expired in 2020 as well.

The Information Regulator said in an initial statement in May that had this license been renewed, the department would have received alerts of suspicious activity by unauthorized people accessing the network.

The department's Trend Antivirus license was also not renewed in 2020 when it expired and resulted in the virus definition for known malware threats not being updated.

The Regulator also found that the DoJ&CD had failed to take reasonable measures to identify, or reasonably foresee, internal and external risks to the protection of personal information or establish and maintain appropriate safeguards against the identified risks.

"In this regard, the department failed to establish and maintain appropriate safeguards against the risks identified and to regularly verify and update the security safeguards against malware threats," the authority said.

South Africa's Information Regulator found that the DoJ&CD's antivirus license, Security Incident and Event Monitoring license, and Intrusion Detection System license had all expired at the time of the data breach. (Source: DCStudio on Freepik)

"With the rising scourge of security compromises, responsible parties are urged to improve their information security systems to ensure that there are adequate safeguards to protect personal information of data subjects in their possession or under their control. The Regulator places emphasis on the management of risks arising from security compromises," the Information Regulator added.

Just last week, a report from Liquid C2 showed that the number of cyberattacks on businesses in South Africa increased by 62% during 2022, and 56% of South African businesses surveyed had experienced a data breach in the past year.

Consequences come down

The Regulator said the DoJ&CD had contravened section 19 and 22 of POPIA and ordered the department to submit proof within 31 days that the SIEM and Intrusion Detection System licenses had been renewed.

It was also told to institute disciplinary proceedings against the officials who failed to renew the licenses which are necessary to safeguard the department against security compromises.

The 31-day grace expired on June 9, 2023, and in a statement on July 4, 2023, the Regulator said it had still not been provided a report on the implementation of the actions required, hence the R5 million fine.

The fine could have been worse: The Regulator has the right to impose an administrative fine of up to R10 million (US$534,830) and the responsible officials could face jail time.

The department now has 30 days from July 3, 2023, to either pay the administrative fine, make arrangements with the Regulator to pay the administrative fine in installments or elect to be tried in court on a charge of having committed the alleged offense referred in terms of POPIA.

Related posts:

*Top image source: rawpixel.com on Freepik.

— Paula Gilbert, Editor, Connecting Africa