ITWeb recently broke the news that the credit bureau TransUnion South Africa is fighting a Brazilian hacker group that is demanding a USD 15 million ransom over four terabytes of compromised data. TransUnion initially informed their customers that the affected data was limited to telephone numbers, email addresses, identity numbers, and physical addresses, but there are claims that the hackers have demonstrated that they also have bank account, vehicle ownership information, as well as a Department of Home Affairs file containing names, ID numbers, and birth dates.
With the scale and impact of the hack, it will be interesting to see if and how South Africa’s Information Regulator will try and mitigate the impact.
The Information Regulator can issue compliance orders to bring about actions to mitigate future risks or to mitigate the current impact. In this case the possibility of issuing of fines, as reported in the media, will not mitigate the impact; but an order could be made, whereby information campaigns on the breach by TransUnion are mandated by the Information Regulator.
These information campaigns must reach and inform data subjects from all walks of life that the TransUnion breach may cause many fraudulent banking scams to emerge and should instruct data subjects to validate telephonic requests by persons posing as their bankers with the branches of their banking institutions.
We are yet to see civil claims from data subjects for losses caused due to the leak of their personal information. However, if persons are defrauded as a result of the leak, these civil claims should become more prevalent.