In August alone, 38 organisations suffered security breaches that they self-reported to the Information Regulator.
“As the Regulator, we are concerned about the high number of security breaches in South Africa,” said chairperson Pansy Tlakula.
Tlakula revealed the figure in the wake of the ransomware attack on the Department of Justice and Constitutional Development (DOJ&CD), which has brought South Africa’s legal system to its knees.
The attack occurred on 6 September. According to reports, it disrupted everything from bail services to deceased estates.
It also disrupted the ability to file court papers, causing cases to be postponed.
“This security breach did not only interrupt the DOJ&CD’s IT systems but also impacted on the work of the Information Regulator which relies on the DOJ&CD’s IT systems for its own operations,” Tlakula stated.
“As a result of this security breach, the Regulator’s website was temporarily unavailable, and the e-mail system went offline and remains unavailable.”
Last week, the Regulator said in a statement that they have written to DOJ&CD to remind them of their obligations in terms of Section 22 of the Protection of Personal Information Act (POPIA).
POPIA requires responsible parties to notify the Regulator and the data subject where reasonable grounds exist, and the personal information of a data subject has been accessed or acquired unlawfully.
“Responsible parties are reminded of their obligation under POPIA to secure the integrity and confidentiality of personal information of data subjects by taking appropriate, reasonable technical and organisational measures to prevent unlawful access to or processing of personal information,” Tlakula said.
“It is our role to ensure that personal information is processed safely and securely. Failure to do so has legal consequences,” she said.
The Regulator advised that ransomware is often spread through phishing emails containing malicious attachments or through drive-by downloading.
Drive-by downloading is when a user unknowingly visits an infected website, and then malware is downloaded and installed without the user’s knowledge.
In the case of a ransomware attack, this leads to all the information systems being encrypted and rendered unavailable to employees and members of the public.
“As a result, all electronic services provided by the Regulator have been affected, including emails, applications, complaints and the website,” Tlakula said.
“So far, no indication of data compromise has been detected on the systems.”
In a recent statement, the justice department said that it had recovered some functionality of its system for child maintenance payments, MojaPay.
It said that it made payments on 15 September 2021, and the money is expected to reflect in beneficiary accounts in the next few days.
“The Master’s Offices around the country continue to, as [an] interim measure, use [a] manual process to provide bereaved families, in exceptional cases, where there is a need to access funds from the deceased’s banking account for burial costs,” it said.
“However, no manual letters of executorship or authority will be issued during this crisis period.”