Information regulator chair Pansy Tlakula confirmed in an interview with the Sunday Times that neither the Department of Defence nor the State Security Agency (SSA) informed the regulator of alleged data breaches.
She added that, as a result, both parties have been sent information notices regarding the breaches.
“I don’t want to reference State Security or Defence because we are still investigating, but in general terms, to defy the regulator is a criminal offence,” said Tlakula.
“So apart from investigating the adequacy of the security measures, we’ll also investigate, even if they have informed us, if the notification was in compliance with our law.”
The alleged State Security data breach refers to an article from the Sunday World at the beginning of October. The report blind-quoted an anonymous “operative” claiming they suspect American or Russian intelligence of the hack.
The source reportedly said they also couldn’t rule out “internal forces” as South Africa’s political situation is currently “very volatile”.
The Department of Defence previously claimed that reports of a data breach were ‘fake news,’ but quickly retracted these statements to investigate the matter further.
It later again denied its network was hacked, saying the incident was the work of “criminal syndicates within the cyberspace” aided by information leaked from the department.
When asked about reports that both parties tried to cover up data breaches, Tlakula said she preferred not to answer as she would rather wait for information from the investigations before making presumptive comments.
However, she did note that it is concerning that the information relating to major state entity breaches mostly comes from the media.
State entities have a legal obligation to report any breaches to the regulator — so the fact that they are not doing so until the media reports on the incidents is problematic.
Thankfully, said Tlaluka, the information regulator has a lot of ‘muscle’ when it comes to monitoring government bodies.
“Our assessment report is equivalent to an enforcement notice, which means it has to be complied with. If a body doesn’t comply, we issue an infringement notice.”
She added that these infringement notices can result in fines or criminal proceedings.
“It’s just that the route to the infringement notice is quite long,” said Tlaluka.
Updates on investigations
Last month, the information regulator said it was close to revealing the outcome of its investigation into the TransUnion data breach of 2022.
This breach involved the bureau falling victim to the hacking group N4ugthySecTU.
According to TransUnion, ‘at least 3 million South African customers’ details were impacted.
The regulator also noted that investigating the Experian breach of 2020 could take longer.
The incident is believed to have exposed up to 24 million South Africans’ details, and the details of nearly 794,000 businesses.
Convicted fraudster Karabo Phungula obtained the dataset under false pretences and wanted to sell the data for R4 million.
Phungula allegedly stole the identity document of a businessman who had access to the Experian database, and used this to extract the information.
Phungula has been sentenced to 15 years in prison.