South African agency waits three months to reveal data breach — importers and exporters furious
South African importers and exporters are livid after the International Trade Administration Commission (Itac) notified them about a ransomware attack — more than three months after it happened.
Itac informed its stakeholders about the security incident this week and said the attack had happened in January already.
Itac’s functions include tariff investigations and import-export controls, requiring a wide range of personal and other sensitive information.
A notice from Itac chief commissioner Ayabonga Cawe warned that the attackers may have exfiltrated personal information submitted to the agency.
“The type of information held on ITAC’s servers includes personal information relating to ITAC’s employees, service providers, importers, exporters and other stakeholders,” it stated.
Cawe excused the delayed notification, saying they first needed to investigate and restore the integrity of their information systems.
“Also, it was considered vital not to pre-empt the investigations that had been initiated since ITAC became aware of the security compromise,” he said.
“We assure you that we have taken all the reasonable steps to contain the security compromise and to reduce the likelihood of similar incidents occurring in the future,” said Cawe.
“Over and above our ongoing investigation, we have requested our forensic service provider to remedy all weaknesses in our information technology environment.”
Cawe highlighted the following steps they took after the attack:
- Immediately shut down affected servers and restored them from backups
- Upgraded firewall and antivirus measures to the highest possible security levels
- Reported the attack to the relevant authorities
- Appointed a forensic service provider to conduct vulnerability and penetration testing.
Cawe said the penetration tester would also undertake a comprehensive forensic investigation to understand the nature and root cause of the breach, including the containment and recovery of their systems.
“The service provider will further assist us in ensuring that the remediation process is completed to prevent the reoccurrence of the security compromise,” he said.
However, Itac’s statement did not fill some stakeholders with confidence.
The Sunday Times quoted XA Global Trade Advisors as saying they were alarmed at how long it took Itac to notify potentially impacted companies.
They said clients participating in Itac investigations submit all kinds of confidential information, and they don’t yet know how their customers would react to the cyberattack notice.
Cawe reportedly doubled down, defending Itac’s approach.
He said they waited three months to issue a disclosure notice to avoid panic among stakeholders.
According to Cawe they have been transparent with the Information Regulator about the ransomware attack.