• On Tuesday the Information Regulator revealed the results of an assessment it conducted on TransUnion following a breach.
• The findings are damning and reveal that TransUnion didn’t follow its own password requirements.
• The credit bureau has until the end of May to take actions outlined by the regulator.

On Tuesday the Information Regulator hosted a media conference to update the public on its activities. While we disagree with the dog and pony show aspect of this release, the contents of this briefing were fantastic and provided insight into how the regulator is adhering to its mandate.

One entity that likely didn’t find the proceedings pleasurable was credit bureau, TransUnion. The bureau which acts as a repository of credit information was breached in 2022. Following this breach, the Information Regulator conducted an assessment and what it found was mighty concerning.

The regulator found that TransUnion had breached approximately five conditions for the lawful processing of data, namely:

1. Failing to secure the confidentiality of the personal information in its possession or under its control.
2. Failing to take appropriate technical and organisational measure to ensure access control is implemented as directed by their own policy and also not having controls to detect this failure.
3. Failing to prevent unlawful access to or processing of personal information that enabled unauthorised actors to gain unlawful access through the use of compromised credentials and use of a weak password.
4. Failing to implement the safeguards that have been put in place in the form of access management policies and user creation policies.
5. Failing to implement the provisions of its own information security policies, which covered the domains recommended to ensure the confidentiality, integrity and availability of its information processing environment as they relate to:
   • User creation – Which meant there was a user created outside of approved user creation processes
   • Password complexity – which meant the disregard for the password requirements as set out in their Access Control Policy.

This is both damning for TransUnion and concerning for any South African with a line of credit. What’s worse is that TransUnion all but waved this breach off in 2022. Instead of offering an apology at the time, the credit bureau put the onus on South African individuals and businesses to monitor their own credit profiles, something that comes at an additional cost for both groups. The bureau did offer “free subscriptions to TransUnion’s tools to detect identity-related and business-related threats” but that offer is no longer available as of 31st December 2023.

The response from the firm was pathetic to put it lightly and the Information Regulator has ordered TransUnion to take the following actions:

• Develop and put in place security measures to ensure the integrity and confidentiality of personal information in its possession or under its control to prevent loss of, damage to, unauthorised destruction or unlawful access to, personal information.
• Obtain the services of a qualified auditor/audit firm who will perform an audit on all user accounts against the SFTP user creation policy to determine if the configuration of any further user accounts fall outside the prescripts of the policy.
• Conduct a Personal Information Impact Assessment to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information.

The bureau has until 26th May 2024 to submit proof that it has taken these actions to the Information Regulator.

In response to the Regulator’s notice, the bureau has issued a statement:

“The South Africa Information Regulator has concluded its assessment of the cyber incident of March 2022, which involved an isolated TransUnion South Africa server. Immediately after the incident, we implemented a number of improvements following a review we commissioned by a world-leading independent forensics and security firm. We are now implementing the regulator’s additional recommendations and welcome the conclusion of the matter,” it said.

While we welcome the action taken by the Regulator the fact that there were so many problems within TransUnion doesn’t fill us with confidence. Worse still, the data that was compromised in the breach isn’t exactly something folks can change either at all or quickly.

It’s not clear whether TransUnion will be fined but with fines only able to go up to R10 million and TransUnion being a global firm with a market cap of around $15.27 billion, a fine is unlikely to rock its boat.

We now wait until May to see if TransUnion abides by the Information Regulator’s ruling.

[Image – Steve Buissinne from Pixabay]