“At least 1 200 files were exfiltrated” in Department of Justice breach

A ransomware attack on the Department of Justice and Constitutional Development (DoJCD) that was detected in September is far worse than expected.

In a statement posted to the Information Regulator of South Africa’s website, more detail on the attack was provided. The Regulator has a responsibility to do this as it makes use of the DoJCD’s IT systems.

The Regulator says it was made aware of the security compromise through a media statement issued on 9th September. Through correspondence with the department, the regulator was able to ascertain that an issue was detected in the DoJCD’s cloud application environment on 5th September. The issue saw connectivity between app and database servers lost. Further investigation found that the outage was caused by ransomware.

“The DoJ&CD has informed the Regulator that even though the identity of person that had unauthorised access is not known, the investigation has led to the discovery of text files that are consistent with ransomware, those files contain instructions to the
Department to contact what seems to be the perpetrators. However the DoJ&CD has advised that no demand for money has been made as at 20 September 2021,” the Regulator wrote.

Why no ransom was demanded is strange, but maybe it’s because the attackers got what they were looking for.

A Security Incident Analysis Report from the department reveals that at least 1 200 files were stolen from its systems.

“According to the DoJ&CD these flies may have contained personal information such as addresses and bank account details,” the Regulator said.

The data that may have been stolen contains:

  • Names, addresses, Identity Numbers, Phone numbers of information officers
  • Names, residential addresses, Identity Numbers, Phone numbers,
    qualifications, bank accounts and salaries of employees
  • Names, addresses and bank details of the service providers.

This means that if this data has been captured by cybercriminals, folks could have their information used for fraudulent purposes and phishing attacks with a view to committing fraud.

The Regulator was also rather critical of the DoJCD in its statement highlighting the fact that the department only notified it of the breach after the Regulator reminded it of its obligations in accordance with section 22 of POPIA.

Whoever breached the DOJCD did so by way of a domain administrator account which had been compromised. This high level of access likely gave the attacker the ability to both access the information that was taken and deploy the ransomware to the target systems.

The Regulator has said that it is in the process of establishing its own email systems with measures such as identify protection, anti-malware protection, multi-factor authentication, device management, threat protection and encryption.

Further to that it is also developing its own Information Officer Registration Portal (which really should’ve been done at this stage given POPIA has been in effect since July) which will be cloud based and secure.

While POPIA was implemented with a view to preventing incidents like this, it’s clear that much more has to be done at a government level when it comes to cybersecurity. Remember, it’s not a question of if you experience a cyberattack, it’s a question of when.


About Author


Related News