TransUnion Information Regulator

Photo: File

TransUnion: Information Regulator slams hacked credit bureau’s mitigations

The Information Regulator says the response submitted by TransUnion is inadequate and falls short of what is required by POPIA.

TransUnion Information Regulator

Photo: File

The Information Regulator has expressed continued dissatisfaction with the security compromise notification submitted by TransUnion.

This follows the instructions given to the credit bureau on 19 March 2022 when the Regulator called on TransUnion to explain the circumstances of the security compromise that it experienced. The credit bureau confirmed that a “criminal third party” gained access to one of its servers this past weekend. 


The Information Regulator said the notification that TransUnion submitted is inadequate, unsatisfactory and falls short of what is required by the Protection of Personal Information Act (POPIA). 

“The notification does not provide sufficient details nor remedy to the millions of data subjects, people about whom the personal information relates, whose personal information has been compromised by the TransUnion security compromise.

“It omits critical information that provides assurance on how the matter is managed. The report neither provides detail on how the credit bureau will mitigate the subsequent risks nor information on how the credit bureau will remedy this crisis. This leaves the Regulator extremely concerned regarding the adequacy of safeguards at TransUnion for the protection of personal information as is required in terms of POPIA.” 

Information Regulator

Information Regulator spokesperson, Nomzamo Zondi said they have now further directed TransUnion to provide them with a;

  • Detailed description of the possible consequences of the security compromise and its impact on data subjects
  • Advice and recommendations on the measures to be taken by the data subjects to mitigate the potential adverse effects of the security compromise.
  • Description of the measures that TransUnion intends to take or has taken to address the security compromise

The Regulator has also reportedly asked TransUnion to provide it with confirmation that a criminal case has been opened with the SAPS, in terms of the Cybercrimes Act, Act No. 19 of 2020. If no criminal case has been opened, the Regulator has requested reasons for the delay in doing so.


N4aughtySecTU which claims to be responsible for hacking TransUnion has began leaking “samples” to prove that they are indeed in possession of data of over 54 million South Africans.

The group also said it also obtained a data base from the Department of Home Affairs. It also threatened to leak databases of major banks such as Capitec, Nedbank, Standard Bank and FNB.

The group also claimed to have and threatened to leak personal and banking details of President Cyril Ramaphosa and other top politicians and lawyers.

ALSO READ: TransUnion latest: Hackers leak Cell C and ANC databases