The Information Regulator said that the Department of Justice hasn’t renewed it’s cybersecurity licenses despite being sent an enforcement notice requiring it to.
- The Information Regulator has fined the Department of Justice and Constitutional Development R5 million for failing to beef up it’s cyber security software after a 2021 data breach.
- The department was given a month to renew it’s cyber security licences, some of which expired in 2020.
- The regulator claimed that this had resulted in the loss of 1 204 files from the department’s system.
- For more stories, visit the Tech and Trends homepage.
The Information Regulator has fined the Department of Justice and Constitutional Development R5 million after it failed to comply with an enforcement notice requiring it to beef up its cyber security software following a 2021 data breach.
The regulator claimed that the department had violated the Protection of Personal Information Act (POPIA), adding that a failure to “place adequate technical measures” to monitor and detect data breaches of their system resulted in the loss of 1 204 files from the system.
This conclusion followed a “full investigation” by the regulator, according to Nomzamo Zondi, senior manager for communications and media at the Information Regulator.
Through the investigation, the regulator found that some mitigation measures to protect the personal information of the department had taken place, but there were “gaps” in these measures, said Zondi.
Chief among these, were cybersecurity software licenses that had not been renewed by the department since 2020.
The Information Regulator claimed that the 2021 file loss stemmed from the failure of the department to renew these licenses.
Owing to this, the regulator submitted an enforcement notice to the department, requiring it to renew its security information and event management (SIEM) licences, which it said are required to monitor unusual behavior on the network and keep a backup of log files.
In terms of Section 95 of POPIA, the regulator may submit an enforcement notice which requires the responsible party to take specified steps or to refrain from taking specified steps when it is satisfied that the party has interfered or is interfering with the protection of personal information of a data subject.
The enforcement notice was submitted on 9 May and required the department to submit proof to the regulator that it had renewed its Trend Anti-Virus licence, the SIEM licence and the Intrusion Detection System licence within 31 days.
It also required the department to institute disciplinary proceedings against the officials who failed to renew the licences, which it said were necessary to safeguard the department against security compromises.
It said that the deadline to submit this proof was reached on 9 June, and that no proof had been received to date when it released a notice on 3 July.
The regulator implemented a R5-million administrative fine against the department for its failure to comply with the enforcement notice.
This is the first ever infringement order that the Information Regulator has issued, Zondi told News24.
She said the enforcement powers of the regulator only came into effect about two years ago.
“A lot is being tested,” she said.
News24 reached out to the Department of Justice for clarity on its version of events. A spokesperson said that the department has taken note of the new findings of the Information Regulator and the subsequent fine.
The spokesperson said the department is “considering its options” and is not in a position to respond at this stage.
The Sunday Times reported that that the 2021 cyber attack was one of three on the department in the last three years.
In September 2020, R10 million was siphoned from the department by cyber criminals, and in April this year, R18 million was stolen in an identical attack.