Information Regulator tests its teeth — slaps Department of Justice with R5 million fine
The Information Regulator has issued an infringement notice to the Department of Justice and Constitutional Development (DoJ&CD), ordering it to pay an administrative fine of R5 million. (Pictured: Pansy Tlakula, Information Regulator chair.)
This was after it failed to comply with an enforcement notice the regulator issued on 9 May over a September 2021 ransomware attack.
Essentially, the regulator found that negligence contributed to the department falling victim to the attack.
In its May warning, the Information Regulator ordered that the department submit proof within 31 days that it had renewed licences for security software it said could have prevented or mitigated the ransomware attack.
Specifically, it ordered the department to renew its Trend Anti-Virus, Security Incident and Event Monitoring, and Intrusion Detection System licences.
The regulator had also ordered that those accountable for the negligence must face disciplinary proceedings.
It warned that should the DoJ&CD fail to heed its warning, “it will be guilty of an offence, in terms of which the Regulator may impose an administrative fine in the amount not exceeding R10 million, or liable upon conviction to a fine or to imprisonment of the responsible officials”.
“The thirty-one days given to the department expired on 9 June 2023,” the regulator said in a statement on Tuesday.
“To date, the department has not provided the Regulator with a report on implementation of the actions required in the Enforcement Notice or any other communication in that regard.”
It noted that the DoJ&CD had the right to appeal and failed to exercise that right.
As a result, the regulator imposed an administrative fine on the department on Monday.
“The DoJ&CD has 30-days from 3 July 2023 to pay the administrative fine or make arrangements with the Regulator to pay the administrative fine in instalments or elect to be tried in court on a charge of having committed the alleged offence referred in terms of POPIA,” it said.
Ransomware attack crippled SA courts
Ransomware attacks involve cybercriminals gaining access to systems and encrypting potentially valuable files, locking users out of their data.
System files are left intact so that users may access the system and see the “ransom note” left behind.
The ransom note may contain a demand for payment, in cryptocurrency, for a method to decrypt the files. It may also not mention a specific amount but direct users to a chat service on the dark web to negotiate a fee.
Attackers also often exfiltrate data from compromised systems and threaten to leak it online unless victims pay.
The ransomware attack on the DoJ&CD’s computer infrastructure severely impacted the Master’s Office and crippled South Africa’s courts for weeks.
In a statement issued three days after the attack, the department admitted that all its electronic services were affected, including issuing letters of authority, bail services, email, and the departmental website.
The attack raised concerns that people’s most sensitive information could be at risk, as the Master’s Office handles everything from child support payments to deceased estates.
Departmental spokesperson Steve Mahlangu initially said there was no indication that people’s data had been compromised.
Much later, it emerged that the attackers got their hands on 1,204 files.
Shortly after Mahlangu’s initial statement, a source told MyBroadband that the attackers had demanded 50 bitcoin for the safe return of the encrypted data.
They also said the department’s backups had been encrypted, suggesting a quick recovery from the incident wasn’t on the cards.
However, the department vehemently denied this, saying the attackers had not demanded any specific amount.
Although there was never any closure regarding the ransom demand and encrypted backups aside from the department’s denial, its systems only started coming back online four weeks after the attack.
In the interim, South Africa’s lower courts had to fall back to manual recording equipment. Master’s Offices were also forced to revert to manual systems, drastically slowing down services.
Then, in March 2022, it emerged that the DOJ&CD had allowed its IT contracts to lapse during 2021.
It got hacked a month after internal staff took over the previously outsourced functions.
It is this lapse for which the Information Regulator is cracking down on the department.