Zero fines after 500 reported POPIA offences
![](https://mybroadband.co.za/news/wp-content/uploads/2022/03/TransUnion-hack-new--800x533.jpg)
No fines have been issued against any South African company for violating the Protection of Personal Information Act (POPIA).
This was revealed by Information Regulator president Pansy Tlakula during a recent ITWeb conference.
Tlakula said that her office had received over 500 notifications of data violations to date, but had not issued a single fine.
POPIA determines that “responsible parties” (also called data controllers), including businesses that store and manage large amounts of personal data, take certain measures to keep their customers’ information secure.
It was signed into law in 2013, but many of its key provisions only came into effect in July 2020.
Companies were given an additional 12 months to ensure that their data processing operations aligned with the Act, so it has effectively been in place since July 2021.
According to Cape Town law firm Michalsons, serious POPIA violations carry a fine of up to R10 million or ten years in jail.
The offences can be one of the following:
- Obstructing the regulator
- Failing to comply with an enforcement notice
- Giving false evidence before the regulator under oath
- Failing to comply with the conditions when processing account numbers
- Knowingly or recklessly obtain or disclose an account number
- Selling (or offering to sell) an account number
Fines for minor offences can go up to R1 million or one year in jail.
Abiding by POPIA legislation, therefore, not only means that businesses act in the best interests of their customers and reputation but also protect their financial standing.
Cyberattacks a big threat to personal data exposure
Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the responsible party must notify the Information Regulator.
One of the biggest challenges in avoiding POPIA violations is cyberattacks, with hackers actively targeting businesses’ data for financial gain.
The data they can exfiltrate often includes customer information, which they would threaten to expose unless the targeted company.
Aside from getting consent to process their data for specified purposes, businesses and other entities must store data securely and use appropriate cybersecurity to protect their systems from exploitation by malicious actors.
MyBroadband has reported on numerous businesses and organisations which fell prey to attacks since POPIA came into effect, including Facebook, Dis-Chem, the SABC, Microsoft South Africa, a local Nespresso distributor, and a Vodacom-linked marketing agency.
But perhaps one of the most noteworthy incidents was the TransUnion data breach that occurred in March 2022.
In that case, the personal details of at least 3 million of the credit bureau’s customers were leaked, including those of South Africans.
An additional 6 million ID numbers without other linked personal information were also compromised.
The leaked data included names, ID numbers, dates of birth, gender, contact details, marital status, identities of employers and durations of employment, and vehicle finance contract numbers and VINs.
In addition, spouse information, passport numbers, and credit or insurance scores were exposed in “isolated circumstances”.
Security experts have warned that malicious actors could use this data for identity theft and phishing sensitive information like passwords from the victims.
The group who claimed responsibility for the data breach, N4ugthySecTU, alleged it had stolen 4TB of data, including a database of 54 million South African profiles.
N4ugthySecTU also claimed it obtained a database for TransUnion’s credit monitoring product, containing 3,083,227 records with full names, ID numbers, cellphone numbers, and email addresses.
It demanded to be paid $15-million (R217-million) in cryptocurrency in exchange for not leaking the data online, which it started posting on a Telegram channel.
That data included the home address, ID number, and cellphone number of President Cyril Ramaphosa.
The hackers alleged that they could gain access to the databases through one TransUnion client’s account, who had used “password” as their profile’s password.