The information regulator has ordered credit bureau TransUnion to publicise details of information hackers have stolen on all radio channels using all SA official languages and in newspaper and television adverts.

It said it was dissatisfied with the bureau’s response to the hack.

The hackers, who call themselves N4ughtySecTU, say they will leak consumers’ sensitive credit information and data from March 25 if they are not paid a $15m (R218m) ransom.

The breach was first revealed by online publication ITWeb on March 17, forcing TransUnion to admit that hackers had acquired access to a SA server.

The hackers say they have 28-million credit records and 54-million identity numbers. TransUnion believes the 54-million number relates to a 2017 hacking of a SA government website.

The information regulator was established this year when the Protection of Personal Information Act (Popi) came into effect to protect consumers and ensure their private information is kept secure.

It has the power to fine TransUnion as much as R10m for the security breach.

The company said it is still working out what local data has been stolen.

The regulator issued a statement on Friday saying TransUnion had not provided it with sufficient information about the hack, what data was obtained, and how the stolen data would be contained.

Personal information can be used by scammers to call and trick consumers into handing over their banking pins, as they believe the caller is from the bank. It can also be used in identity theft — allowing criminals to open credit accounts in consumers’ names without their knowledge.

TransUnion collects credit information to provide to lenders such as insurers, banks and vehicle finance houses. The data they keep would include consumers’ credit card limits, clothing account instalments or outstanding bond or vehicle finance amounts.

The regulator said the credit bureau did not give it sufficient detail explaining how it would mitigate the subsequent risks from the leak.

The incident reveals the limits of the Popi Act, even as it legislates that companies must take actions to remedy data leaks. While the regulator wants to know how TransUnion will stop all data being used in “malicious actions”, it is not clear what a company can do once the data is stolen and released onto the dark web, which is only accessible by means of special software, allowing users and website operators to remain anonymous or untraceable.

The regulator said it “has expressed grave concern about the credit bureau’s approach to ensuring that there are no further malicious actions with it by unauthorised persons”.

By combining data sets of previously stolen ID numbers, home addresses and phone numbers with the new credit information, the hackers may also create extremely detailed records that can be used by criminals.

N4aughtySecTU claim they have found data on the dark web that was released in the 2020 hack of credit bureau Experian. They claim to have approached them for a ransom.

The regulator says it will conduct an assessment into TransUnion’s security systems. It ordered TransUnion to provide it with confirmation that a criminal case has been opened with the police.

TransUnion published a statement on its website warning consumers not to “disclose personal information such as passwords and PINs via the phone, fax, text messages or even email”. It also urged consumers to verify all requests for personal information and only provide it when there is a legitimate reason to do so.

