By Jan Vermeulen for MyBroadband
At least 1 200 files were exfiltrated from Department of Justice computer systems before attackers infected them with ransomware and brought South Africa’s legal system to its knees.
This is according to a notice published by the Information Regulator of South Africa to inform its users of the breach.
It said that according to the Department of Justice and Constitutional Development (DoJ&CD), these files may have contained personal information such as addresses and bank account details.
Personally identifying information of South Africa’s information officers may also have been exposed.
The Information Regulator said that the following personal information might have been exposed:
- Names, addresses, identity numbers, and phone numbers of information officers
- Names, residential addresses, identity numbers, phone numbers, qualifications, bank accounts, and salaries of employees
- Names, addresses, and bank details of the service providers.
The Regulator noted that this is just an early indication of the type of personal data that might have been compromised.
“The DoJ&CD has indicated in its report to the Regulator that at this stage, the investigations are inconclusive in terms of the exact nature of the information that was sent outside the ICT systems of the DoJ&CD,” it stated.
“Therefore, the types of personal information of its data subjects that may have been compromised is not yet determined.”
In addition to details of the data breach, the Information Regulator also revealed that it only found out about the attack because of a media statement issued by the DoJ.
“The Regulator became aware of the possible security compromise through a media statement on 9 September 2021 and was officially notified on 13 September 2021,” it stated.
It was only formally notified after reminding the department of its obligation to notify the Regulator and data subjects per section 22 of the Protection of Personal Information Act (POPIA).
The Information Regulator explained that the attack on the DOJ&CD places it in a curious position.
When the Information Regulator was established, as an interim measure, its computer systems were set up under the structures of the Department of Justice.
This makes the Information Regulator a “data subject” of the department and a “responsible party” that must notify its own data subjects in terms of POPIA.
The DoJ&CD was hit by a ransomware attack on 6 September, knocking several critical systems offline. These included:
- Bail services
- Payment of child maintenance
- No way to correspond with magistrates or judges — no one can file court papers
- Recording and transcription of court proceedings offline
- Master’s offices
Several cases in South Africa’s lower courts were postponed due to the outage, and the court system remains disrupted as the DoJ&CD works to restore its IT systems.
On 17 September, the department said it had recovered some functionality of its system for child maintenance payments, MojaPay.
The Master’s Offices around South Africa have been forced to revert to manual systems, also causing severe disruptions with the following services impacted:
Deceased estates — including issuing letters of executorship and urgent payments out of frozen bank accounts
Orphans whose affairs are being managed by the state
Democratic Alliance MP and former prosecutor Glynnis Breytenbach has said that the disruption to the Master’s Offices is a significant concern.
“They are no longer geared to operate manually. They don’t have the staff,” she stated.
“We need to get these systems back up and running. The Master’s office is so dysfunctional this is going to be the last straw,” she said.
Example of ransomware note without specific amount demanded, pointing victim to a dark web chat service.
The Information Regulator said it currently does not know the person’s identity that broke into the DoJ&CD’s systems. An investigation is underway.
In correspondence received from the DoJ&CD dated 20 September 2021, the Regulator was informed that the issue was detected within the Citrix environment — where applications are hosted.
Connectivity was lost between application and database servers on the evening of 05 September 2021, and, as a result, all user accounts on the Active Directory were locked.
The analysis of the attack concluded that it was a malware infection suspected to be ransomware.
The DoJ&CD informed the Regulator that even though the person’s identity that breached their systems is unknown, the investigation has led to the discovery of text files consistent with ransomware.
These files contain instructions to the department to contact what seems to be the perpetrators.
However, the DoJ&CD has advised that no demand for money has been made as of 20 September 2021.
A source has told MyBroadband that the claim from the DoJ that they didn’t receive a ransom amount is incorrect and that the attackers have asked for 50 bitcoin — around R33 million.
The DoJ&CD has disputed this and maintained that it has received no ransom demand.