State Security Agency and Defence Department Under Scrutiny for Potential Data Breaches

Information Regulator Chair, Pansy Tlakula, confirms that both the State Security Agency (SSA) and Department of Defence failed to inform the regulator of alleged data breaches, an admission first surfaced in an interview with the Sunday Times. Consequently, information notices have been dispatched to both entities regarding these breaches.

Tlakula emphasised that any act intended to defy the regulator would be treated as a criminal offence. “Apart from investigating the appropriateness of the security measures, we will also determine if any efforts to inform us complied with our law,” she added.

The suspected data breach at the State Security Agency was first mentioned in an October report by the Sunday World, which cited an anonymous operative attributing the breach to either American or Russian intelligence. However, internal forces within the volatile South African political landscape were also identified as probable culprits.

The contravening statement from the Department of Defence, which initially dismissed reports of a data breach as 'fake news', later retracted its rebuttal to pursue investigations. It then absolved itself yet again, positing that "criminal syndicates within cyberspace" orchestrated the breach with the aid of leaked departmental information.

In response to allegations of both parties attempting to conceal these data breaches, Tlakula reserved judgement, stipulating her preference to obtain the complete investigation results before making assertions. However, she expressed concern over the trend where news about significant state entity breaches tend to emerge mostly from the media, and not from prompt reporting by the breached entities themselves.

State bodies are legally bound to report any data breaches to the regulator, hence their failure to comply until media reports raise the issue, presents a serious issue.

Thankfully, Tlakula stated that the regulator has substantial influence over government bodies. “Our assessment report functions as an enforcement notice which necessitates compliance. In case of non-compliance, we issue an infringement notice," she declared. These notices can lead to hefty fines or even criminal proceedings.

She also mentioned that the regulator is drawing near to concluding its investigation into the TransUnion data breach of 2022 and the Experian breach of 2020.

These breaches involved extensive exposure of customer data, impacting millions of South Africans and numerous businesses.