South African justice department clueless about hacked data
The Department of Justice and Constitutional Development (DoJ&CD) has no idea whether any data was stolen during a ransomware attack on its systems in September 2021.
“The Department cannot tell with certainty as to what happened to the compromised information,” justice minister Ronald Lamola said in response to written questions from the DA’s Glynnis Breytenbach.
“As at 1 December 2021, the analysis and/or forensic investigation is still inconclusive in terms of the exact nature of the information that was sent outside of the Department as part of the breach,” Lamola stated.
“This information should present itself as part of the forensic investigation as expected to be conducted from the case that was opened with the South African Police Service,” he said in a reply to a separate question.
Lamola said the forensic investigation by the police is ongoing, and the department hopes the final report will help to identify the attackers and answer questions about data whether any data was exfiltrated.
“The Information Regulator will be informed once the information becomes available,” the department said.
When asked about the decryption of the data, Lamola explained they never intended on decrypting it, but it was able to restore the data.
“The information or data that was encrypted was never decrypted because it needs a special decryption key which the Department of Justice and Constitutional Development does not have,” he said.
This is the nature of a ransomware attack — criminals gain entry into your system, encrypt your data, then try and extort you for the private key known only to them to get your files back.
Some ransomware groups also take a copy of the data and threaten victims with leaking unencrypted versions of it online if they don’t pay.
Victims are usually discouraged from paying, as there is no guarantee that attackers will actually give you the decryption key, or that they haven’t destroyed your files and left garbage data on your systems to make it look like they were encrypted.
“The information that was encrypted is still there in an encryption format, there is no way of decrypting the information.”
However, the department was able to restore its systems fully from its backup tapes.
“The focus was never to decrypt the information, instead, the information and systems were restored from the backup tapes,” Lamola said.
He said the fingerprint verification link with Home Affairs remained offline even after the DoJ&CD’s systems were restored, delaying the processing of first and final inheritance payments.
The fingerprint verification facility was restored on 15 November and had been deployed to six Master’s offices across the country as of 3 December.
“The further rollout is currently a priority and should be restored to all Masters offices soon,” the department wrote.
The DoJ&CD was hit by a ransomware attack on 6 September 2021, knocking several critical systems offline. These included:
- Bail services
- Payment of child maintenance
- No way to correspond with magistrates or judges — no one can file court papers
- Recording and transcription of court proceedings offline
- Master’s offices
The DoJ&CD informed the Regulator that the attacker’s identity was unknown, and that they had left behind text files consistent with ransomware.
These files contained instructions to the department to contact what seemed to be the perpetrators.
The department was initially steadfast in its belief that no sensitive data was leaked and that systems will be restored from backups.
However, the Information Regulator reported — and the department later confirmed — that personal details might have been compromised.
Department of Justice director-general advocate Doctor Mashabane said that at least 1,200 files may have been compromised.
A source previously told MyBroadband that the claim from the DoJ that they didn’t receive a ransom amount is incorrect and that the attackers asked for 50 bitcoin — around R33 million at the time.
The DoJ&CD disputed this and maintained that it received no amount from the attackers.