Tardiness with fixing IT breaches earns department a R5m fine
The department of justice & constitutional development’s failure to buy antivirus software, as ordered by the information regulator, has earned it a R5m fine — the highest penalty yet imposed for noncompliance with the Protection of Personal Information Act (Popia).
The department suffered a cyberattack in 2021 that resulted in the loss of more than 1,200 files, with encryption of internal documents and personal information being compromised. It forced the court recording systems offline, which led to postponements at lower courts.
It emerged that the department had not renewed its antivirus software, including its intrusion detection licence that would have flagged suspicious activity by unauthorised people accessing the network. In response, the information regulator issued an enforcement order in May obliging the department to show it had taken remedial action.
The widely publicised order required the department to show proof it had renewed its antivirus and intrusion detection licences within 31 days.
The regulator’s May enforcement order also required the department to show it had instituted disciplinary action against the employees who had failed to renew antivirus software, saying this was “necessary to safeguard the department against security compromises”.
The department had two alternatives when it received the order in May: either purchase antivirus software and start disciplinary action, or appeal against the order.
The regulator imposed the fine on Monday after the department failed to do either. This was despite a warning by the regulator that noncompliance with the enforcement order could lead to an administrative fine of up to R10m, or the imprisonment of the responsible officials.
The breach in 2021, which happened a year after the antivirus software expired, resulted in staff being unable to access their emails and issue electronic letters to the public, including bail documents.
It also meant the regulator’s website, which relied on the department’s IT system, went down and its staff was unable to access emails for three days.
At the time, the regulator reminded the department it was required under Popia to inform the regulator of cyberattacks. Instead, the regulator had learnt of it through its own system failing and media reports.
In 2022, justice & correctional services minister Ronald Lamola told parliament the cyberattack had been “debilitating” and pledged the department would improve its systems.
“We have gained good experience and we have learnt lessons on avoiding a similar incident, and we are continuously implementing backup and the necessarily security systems,” he said.
But the 2021 breach was followed by another one in 2023 in which hackers stole R18m from the Guardian Fund. The fund, which falls under the master of the high court, was created to manage money on behalf of those legally incapable of managing their affairs, such as minors or missing people.
On Monday, the regulator said the department has 30 days to pay the fine, make arrangements to pay it in instalments, or elect to be tried in court on a charge of having committed the alleged offence.
The information regulator is an independent body that was established in 2016 and launched in 2021, and is answerable to parliament.
Security breaches and hacks are very common and affect large businesses often with some having to pay the hackers to restore services. However, the fine by the information regulator is not for the breaches of the department but the inaction.
Pharmacy chain Clicks suffered an IT security breach in May, which allowed hackers to acquire some customers’ personal details.
The SA division of credit bureau Trans Union was hacked in 2022 and a large amount of personal information stolen.
The department of justice & constitutional development was not immediately available for comment.
THE DEPARTMENT HAD NOT RENEWED ITS ANTIVIRUS SOFTWARE, INCLUDING ITS INTRUSION DETECTION LICENCE
THE FINE BY THE INFORMATION REGULATOR IS NOT FOR THE BREACHES OF THE [IT SYSTEM] BUT THE INACTION AFTER IT