TransUnion ransomware attack could give rise to civil claims

25 Mar 2022

News broke late last week that the credit bureau TransUnion South Africa is fighting a Brazilian hacker group that is demanding a $15m ransom over four terabytes of compromised data. TransUnion initially informed their customers that the affected data was limited to telephone numbers, email addresses, identity numbers, and physical addresses, but there are claims that the hackers have demonstrated that they also have bank account, vehicle ownership information, as well as a Department of Home Affairs file containing names, ID numbers, and birth dates.

Image source: © phartisan – 123RF.com

With the scale and impact of the hack, it will be interesting to see if and how South Africa’s Information Regulator will try and mitigate the impact.

The Information Regulator can issue compliance orders to bring about actions to mitigate future risks or to mitigate the current impact. In this case, the possibility of issuing of fines, as reported in the media, will not mitigate the impact; but an order could be made, whereby information campaigns on the breach by TransUnion are mandated by the Information Regulator.

These information campaigns must reach and inform data subjects from all walks of life that the TransUnion breach may cause many fraudulent banking scams to emerge and should instruct data subjects to validate telephonic requests by persons posing as their bankers with the branches of their banking institutions.

We are yet to see civil claims from data subjects for losses caused due to the leak of their personal information. However, if persons are defrauded as a result of the leak, these civil claims should become more prevalent.

Commentary provided by Chanique Rautenbach

Chanique is a Senior Associate with Barnard Incorporated Attorneys

E-mail chanique@barnardinc.co.za or call Chanique at 072 636 2524