Department of justice negligence leads to huge personal data loss
The Information Regulator has issued an enforcement notice to the department, as it has violated the POPI Act and jeopardised security
The department of justice & constitutional development contravened the Protection of Personal Information (POPI) Act, resulting in the loss of more than 1,200 files.
The Information Regulator issued an enforcement notice to the department this week for a September 2021 security breach on its IT systems.
This led to the department’s systems being unavailable and affecting services to the public, said the regulator.
“The regulator conducted [its] own initiative assessment after the department suffered a ... data breach. After the assessment, the regulator found the department had failed to put in place adequate technical measures to monitor and detect unauthorised exfiltration of data from their environment, resulting in the loss of about 1,204 files,” spokesperson Nomzamo Zondi said.
The security breach was caused by the department’s failure to renew the Security Incident and Event Monitoring (SIEM) licence, which expired in 2020. This licence enables it to monitor unusual activity and to back up log files.
Failure to renew the licence resulted in the critical information in the files being unavailable, Zondi said.
The department also failed to take reasonable measures to foresee internal and external risks that may have arisen related to the personal information under its control.
“In this regard, the department failed to establish and maintain appropriate safeguards against the risks identified and to regularly verify and update the security safeguards against malware threats.”
As the department was found to be in breach of sections 19 and 22 of the POPI Act, the regulator has ordered it to take steps to protect the information under its care, which include submitting proof to the regulator that the SIEM licence has been renewed.
Disciplinary proceedings should also be instituted against officials who failed to renew the licence necessary to safeguard the department against security breaches, said Zondi.
“Should the department fail to abide by the enforcement notice within the stipulated time frame [31 days], it will be guilty of an offence in terms of which the regulator may impose an administrative fine in the amount not exceeding R10m, or liable upon conviction to a fine or to imprisonment of [the] responsible officials,” she said.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.