The South African Data Protection Authority (Information Regulator) has issued an enforcement notice to the Department of Justice and Constitutional Development (DoJ&CD), following the discovery of a breach of various sections of the Protection of Personal Information Act (POPIA).
In September 2021, the DoJ&CD suffered a security compromise of its IT systems. This led to the unavailability of the department’s systems to its employees and subsequently affected public services.
The authority carried out an assessment on its own initiative after the department suffered this data breach. During this assessment, the authority found that the DoJ&CD had not put in place adequate technical measures to monitor and detect the unauthorised exfiltration of data from its environment, resulting in the loss of approximately 1204 files.
This occurred following the DoJ&CD’s non-renewal of the SIEM (Security Incident and Event Monitoring) licence, which would have enabled to monitor unusual activity on its network and keep a backup of the log files. This non-renewal of the licence resulted in the unavailability of critical information contained in the log files. The SIEM licence expired in 2020.
In addition, the DoJ&CD did not renew the licence for the intrusion detection system, which had also expired in 2020. Had this licence been renewed, the department would have received alerts of suspicious activity by unauthorised persons accessing the network. The Trend Antivirus licence was also not renewed in 2020 when it expired. The non-renewal of this licence resulted in the virus definition for known malware threats not being updated. The authority also found that the DoJ&CD had not taken the necessary steps to identify reasonably foreseeable internal and external risks to the protection of personal data in its possession or control. Finally, the DoJ&CD had neither established nor maintained appropriate safeguards against the risks identified.
Furthermore, the Department failed to establish and maintain appropriate safeguards against the identified risks and to regularly review and update security measures against malware threats. After finding that the DoJ&CD had breached sections 19 and 22 of POPIA, the Information Regulator issued an enforcement notice in which it ordered the Department to take a number of actions. These include requiring the Department to provide evidence to the authority within 31 days of receipt of the notice that the Trend Anti-Virus licence, the SIEM licence and the intrusion detection system licence have been renewed. It will also have to initiate disciplinary proceedings against the official(s) who have not renewed the authorisations required to protect the service against security breaches. If the DoJ&CD fails to comply with the enforcement notice within the specified time, it will be guilty of an offence, under which the authority may impose an administrative fine or, on conviction, imprisonment of the officials responsible.
With security compromises on the rise, the Data Protection Authority is now focusing on risk management.
It calls on data controllers to improve their information security systems to ensure that there are adequate safeguards to protect the personal data of data subjects in their possession or control.