Security12.02.2024

Tshwane University of Technology suffers ransomware attack — thousands of records stolen

Tshwane University of Technology (TUT) has suspended deputy vice-chancellor Professor Bhekisipho Twala over a data breach that resulted in “hundreds of thousands” of records being stolen, News24 reports.

The hack reportedly occurred on 17 December 2023, and Twala allegedly failed to address the attack or manage its aftermath.

Moreover, it was only reported to South Africa’s Information Regulator on 4 January 2024.

Twala heads the institution’s digital transformation portfolio and is considered one of the country’s leading artificial intelligence and data science experts.

While still unconfirmed, suspicions suggest that the ransomware group Rhysida carried out the attack. Its previous work includes claiming responsibility for the cyber attack on the British Library in November 2023.

News24 cited sources who said Rhysida sent a screenshot warning TUT that its ICT system had been attacked. They added that backup data in the cloud server was accessed before being deleted.

TUT doesn’t know the full extent of the breach, and its executive is conducting a cyber forensic audit to find more information.

Staff have allegedly been kept in the dark, and those who know about the attack have been threatened not to speak out.

According to News24’s sources, the damage was total. The attackers encrypted the breached servers’ filesystems and deleted their backups.

During ransomware attacks, system files are left intact so that users may access the system and see the “ransom note” left behind, which demands a sum of money, often in cryptocurrency, for a method to decrypt the files.

Many such attackers have added exposure extortion to their repertoire, threatening to leak and sell stolen data on the dark web.

MyBroadband asked Tshwane University of Technology for further information regarding the incident, but it hadn’t answered our questions by the time of publication.

Data breaches like the one at TUT can come with heavy consequences, particularly if the breach can be put down to negligence on the part of the institution.

South Africa’s Department of Justice and Constitutional Development was the victim of a ransomware attack in September 2021. The attackers encrypted the department’s files, impacting all electronic services.

Pansy Tlakula, Information Regulator chair

In May 2023, the country’s information regulator issued an Enforcement Notice to the department as it had determined that negligence was primarily to blame for the attack.

It conducted an assessment and found that the department had failed to put in place sufficient technical measures to monitor and detect unauthorised data access and exfiltration.

The Information Regular said this had resulted in the loss of around 1,204 files.

“This occurred as a result of the DoJ&CD’s failure to renew the Security Incident and Event Monitoring (SIEM) licence, which would have enabled it to monitor unusual activity on their network and keep a backup of the log files,” it stated.

“The failure to renew the licence resulted in the unavailability of critical information contained in the log files. The SIEM licence expired in 2020.”

Its investigation found that the justice department had also failed to renew the Intrusion Detection System licence, which also lapsed in 2020.

“Had this licence been renewed, the department would have received alerts of suspicious activity by unauthorised people accessing the network,” the regulator said.

“The Trend Antivirus licence was also not renewed in 2020 when it expired. The failure to renew this licence resulted in the virus definition for known malware threats not being updated.”

However, the Department of Justice and Constitutional Development failed to adhere to the Information Regulator’s Enforcement Notice by its deadline, forcing the regulator to slap the department with a R5 million fine.

The justice department has said it intends to fight the fine in court.

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter