A business’ operations can be brought to a standstill if it experiences a data breach – a reality which is becoming more and more familiar. Section 22 of the Protection of Personal Information Act 4 of 2013 (POPIA) requires responsible parties to notify both the Information Regulator and the relevant data subject(s) of a breach where there are reasonable grounds to believe that their personal information has been accessed or acquired by any unauthorised person. The Information Regulator itself recently had the unfortunate opportunity to demonstrate this requirement.
On or about 9 September 2021, the Information Regulator became aware of a security compromise at the Department of Justice and Constitutional Development (DoJ&CD), whose information and communication technology (ICT) systems the Information Regulator shares. The DoJ&CD have advised that the security compromise was effected through ransomware on its systems on 6 September 2021. The DoJ&CD further confirmed that there was unauthorised access to its ICT systems, and as a result, one of the domain administrator’s accounts was compromised and used to deploy ransomware in the DoJ&CD’s ICT environment.