Vodacom and MTN have not notified Information Regulator of location data breach
Vodacom and MTN have yet to inform the Information Regulator of South Africa of the unlawful use of cellphone location data by Wireless Application Service Providers (WASPs) to track subscribers on their networks.
This follows investigations into the murder of Lieutenant-Colonel Charl Kinnear, which revealed that criminals were able to track Kinnear’s movements through his phone using location-based data and plan his assassination.
Kinnear’s assassination exposed the widespread abuse of location-based data to track the movement of South Africans without their knowledge or consent. This data is provided to companies by Vodacom and MTN.
The Information Regulator confirmed to MyBroadband that cellphone location data is considered personal information, and it must be notified if there has been a security breach involving location data.
“Section 22(1) and (2) of POPIA requires that responsible parties such as Vodacom and MTN notify the Information Regulator if there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person,” the Information Regulator told MyBroadband.
POPIA is the Protection of Personal Information Act of 2013.
The Information Regulator stated that notifications from responsible parties must be made “as soon as reasonably possible” after the discovery of the security compromise.
POPIA does not specify a timeframe to notify the Information Regulator about an alleged security compromise.
“Before a responsible party like Vodacom or MTN can notify the Information Regulator about an alleged security compromise, cognisance should be taken of legitimate needs of law enforcement and any measures necessary to determine the scope of the compromise,” the regulator stated.
Should Vodacom and MTN fail to give notice of the breach, the Information Regulator explained that they won’t face any real consequences.
President Cyril Ramaphosa announced earlier this year that the provisions of POPIA would come into effect on 1 July 2020.
However, two sections of the law will only come into effect on 1 July 2021, effectively giving companies a one-year grace period to comply with POPIA.
“As a result of the automatic grace period of twelve months from 1 July 2020, the Regulator’s enforcement powers were automatically suspended,” it said.
Despite this, the regulator said that it is important that responsible parties like Vodacom and MTN ensure compliance with the provisions of POPIA during the grace period.
“The Information Regulator designed and maintained a Data Breach Register to enable responsible parties to report any security compromise, such as a data breach,” the regulator stated.
“The Information Regulator has continuously advocated for proactive compliance by responsible parties with the provisions of POPIA, particularly section 19 to 22.”
These sections deal with the security safeguards that should be in place when you handle someone’s personal information, and lay out the requirements for notifications of security compromises.
How WASPs could track your phone
Vodacom and MTN provided access to cellphone location data on their networks to Wireless Application Service Providers (WASPs) that signed agreements with them.
Under the terms of these agreements, WASPs are only supposed to use this data when a subscriber gives their consent.
However, News24 reported that location data was sold to individuals and private investigators who would pay to track people without their knowledge.
While Vodacom and MTN said that they do have controls in place to guard against abuse, these were circumvented.
Vodacom confirmed that while it is technically possible for WASPs to bypass its controls, it “would be irresponsible to suggest widespread abuse of the system”.
MTN and Vodacom take action against WASPs using location-based data
After MTN and Vodacom were informed about the abuse of the cellphone location data on their networks, they said they have cut off WASPs while they look into the matter.
MTN shut down all access to the nine WASPs with which it has contracts to offer location-based services. This was after none of the nine WASPs could produce the audit logs requested by MTN.
Vodacom said it has suspended the services of a company using its location-based services pending further investigation.
MTN has also threatened civil and criminal action against WASPs, or any other service provider, which puts the privacy of its customers at risk.
MTN recently concluded its investigation into the abuse of location-based services, with concerning results.
“There is sufficient cause for the suspension of all current location-based service providers pending a full forensic investigation that will determine the scope and scale of any abuse,” said MTN SA’s executive for corporate affairs, Jacqui O’Sullivan.
“Should abuse be identified, through our end-to-end forensic investigation, MTN will not hesitate to pursue both criminal and civil charges against the perpetrators of the abuse.”