The Regulator is dissatisfied with Transunion’s response, and it initiates an assessment on the security compromise

The Information Regulator has expressed continued dissatisfaction with the security compromise notification submitted by TransUnion, following the instructions given to the credit bureau on 19 March 2022 when the Regulator called on TransUnion to explain the circumstances of the security compromise that it experienced. The notification that TransUnion submitted is inadequate, unsatisfactory and falls short of what is required by the Protection of Personal Information Act (POPIA).

The notification does not provide sufficient details nor remedy to the millions of data subjects, people about whom the personal information relates, whose personal information has been compromised by the TransUnion security compromise. It omits critical information that provides assurance on how the matter is managed.

The report neither provides detail on how the credit bureau will mitigate the subsequent risks nor information on how the credit bureau will remedy this crisis. This leaves the Regulator extremely concerned regarding the adequacy of safeguards at TransUnion for the protection of personal information as is required in terms of POPIA.

The Regulator has now further directed TransUnion to provide it with a;

• Detailed description of the possible consequences of the security compromise and its impact on data subjects

• Advice and recommendations on the measures to be taken by the data subjects to mitigate the potential adverse effects of the security compromise.

• Description of the measures that TransUnion intends to take or has taken to address the security compromise

POPIA empowers the Regulator to direct a responsible party to publicise in any manner specified any information whose publicity would protect a data subject who may be affected by a security compromise. To this extent, and after considering the nature of personal information that has been compromised, the Regulator has directed that, over and above other means of notification that TransUnion has employed, it must use all radio stations, broadcasting in each official language, publish in all newspapers and drive communication on various social media platforms to provide sufficient notification to data subjects about this security compromise.

Additionally, following a careful assessment of the contents of the credit bureau’s security compromise notification, and the extent and severity of the security compromise, the Regulator will conduct an assessment on its own initiative into the appropriateness of TransUnion’s security measures on integrity and confidentiality of personal information of data subjects in its possession or under its control. The Regulator has subsequently written to the credit bureau and expects a response by 01 April 2022.

The Regulator has expressed grave concern about the credit bureau’s approach to ensuring that the affected data subjects’ personal information is protected and that there are no further malicious actions with it by unauthorised persons in possession of the information. The Regulator has asked TransUnion to provide it with confirmation that a criminal case has been opened with the SAPS, in terms of the Cybercrimes Act, Act No. 19 of 2020. If no criminal case has been opened, the Regulator has requested reasons for the delay in doing so.

Source: Government of South Africa