SABC could be probed over handling of customers’ privacy after breach of TV licence website

• The Information Regulator is considering instituting a compliance assessment of SABC’s handling of customers private information.
• This follows a cyber breach that allowed attackers to access account information without passwords. 
• The SABC has conducted its own investigation, overhauled its website and updated security protocols. 
• For more financial news, go to the News24 Business front page.

The Information Regulator is considering instituting a compliance assessment of the SABC’s handling of customers’ private information, saying the state broadcaster failed to report a security breach of its TV licence website to it.

The breach, which occurred some months ago, allowed cyberattackers to access TV licence holders’ account details without their passwords.

The SABC itself confirmed the breach, which allowed cyberhackers to access the information of TV licence account holders this week, but said it had overhauled its TV licence website and updated it with the latest security protocols after being alerted to vulnerabilities of its website.

Responding to questions from News24, the Information Regulator said late on Wednesday the SABC did not report a security compromise as required by section 21 of the Protection of Personal Information Act (POPIA).

Instead, the Information Regulator had been informed of the incident from a “data subject” who complained their information had been compromised.

It said that when a “responsible party suffers a security compromise (breach) they must notify the regulator” and that since it had been brought to the Regulator’s attention through a complaint, it was considering instituting a POPIA compliance assessment on the SABC as per section 89 of POPIA.  

Mmoni Seapolelo, the SABC’s acting group executive of corporate affairs and marketing, told News24 earlier on Tuesday in response to questions that the state broadcaster had launched its own investigation following an incident that occurred a few months ago and determined that the vulnerability indeed existed.

She said appropriate steps were immediately taken as the broadcaster took the security of customer information seriously. These included a “full rewrite of the website, incorporating the latest security protocols” while it also tested and performed additional security assessments regularly to identify any further gaps.

“At this stage, all the identified vulnerabilities have been addressed and the TV licence site is secured.”

Seapolelo said that as part of its cybersecurity controls it had also appointed an “ethical hacking company” to assist it with regularly identifying vulnerabilities to “further enhance the response to any new threats”.  

Mybroadband.co.za first alerted the market to the vulnerabilities that allowed hackers to access TV licence accountholder details in July 2022, also reporting this week that the Information Regulator was probing the matter.

But Seapolelo told News24 the SABC had not been notified of any investigation by the Information Regulator “regarding the vulnerability that led to a cyberattack on the TV licence website”.

While the Information Regulator denied it was conducting a formal investigation, it said it was conducting a pre-investigation of a complaint lodged by a “data subject” who “alleged that due to a security compromise [data breach] that occurred at the SABC” their personal information was thereof processed unlawfully.

The Information Regulator said that “in the records at our disposal” the SABC did not report the security compromise as required by the POPIA legislation, which is why it was considering the compliance assessment of the state broadcaster.