The Information Regulator has slapped credit bureau TransUnion with an enforcement notice following a data breach on 18 March 2022.Initially, TransUnion stated that “at least” 3 million of its South African customers’ details were affected. A further 6 million ID numbers were exposed but not linked to other personal information.“Our understanding is that data relating to 5 million consumers was potentially affected by the incident with a further 5.
Failing to take appropriate technical and organisational measures to ensure access control is implemented as directed by their own policy.Failing to prevent unlawful access to or processing of personal information that enabled unauthorised actors to gain unlawful access through the use of compromised credentials and a weak password.
Failing to implement the provisions of its own information security policies, which covered the domains recommended to ensure the confidentiality, integrity, and availability of its information processing environment as they relate to:Pansy Tlakula, Information Regulator chair These security measures must prevent loss of, damage to, unauthorised destruction or unlawful access to personal information.