12 June 2023. On or about 21 May 2023, the Development Bank of Southern Africa Limited ("DBSA", "us", "our" or "we") was subjected to a ransomware attack by a malicious threat actor. Based on preliminary investigations, the DBSA believe the threat actor to be Akira, a Russian ransomware group, however this determination is not definitive as investigations are still ongoing. Various servers, logfiles and documents were encrypted by Akira who threatened to publish the encrypted information to the dark web in the event that their demands (i.e. the payment of a sum of money) were not met ("the "Incident").
The purpose of this notice is to notify our stakeholders, in compliance with all obligations we have under law, including our obligations under the Protection of Personal Information Act 4 of 2013 ("POPIA") and/or any contractual obligations that we may have, that we have reasonable grounds to believe that personal information of stakeholders has been accessed or acquired by unauthorised persons on account of the Incident.
Details of Personal Information Implicated
The DBSA is committed to ensuring the protection of the information of our stakeholders. Upon becoming aware of the Incident, the DBSA immediately conducted an investigation and determined that the following categories of records of your personal information may have been unlawfully accessed or acquired by the threat actor:
- certain documents required to be collected by us under the Financial Intelligence Centre Act 39 of 2001, which includes information relating to your business name, the names of your directors/shareholders, physical address;
- identification documents and national identification document numbers;
- contact details, including telephone and cell phone numbers and email addresses; and
- details of the commercial or employment relationship with the DBSA, and
- financial information pertaining to stakeholders (collectively, "Personal Information").
Possible Consequences of the Incident
To the best of our knowledge, the Personal Information accessed as result of the Incident was limited to the Personal Information in the paragraph above. As our investigation into the Incident is currently ongoing, it is not clear the full extent to which the Personal Information was compromised. The DBSA's initial view, therefore, is that the potential consequences of the Incident to stakeholders may be limited. However, given the nature of the Personal Information, we believe that malicious actors may attempt to impersonate stakeholders using the compromised Personal Information. As a result, DBSA encourages stakeholders to remain vigilant and alert to any evidence that their Personal Information is being used incorrectly, and take care to identify any unauthorised actions as they relate to your Personal Information.
Measures taken to address the Incident
Following our discovery of the Incident, we:
- appointed a forensic investigator who is currently assisting in investigating the full extent of the Incident;
- continue, on a daily basis, to search the Dark Web in order to determine whether the Personal Information has been published;
- appointed legal advisors to ensure that we remain complaint with all obligations under law, including, our obligations under POPIA;
- engaged with the law enforcement agencies and relevant regulators, including the Information Regulator (South Africa);
- restored our information systems environment in accordance with our disaster recovery procedures; and
- revoked all third-party access to our information systems, thus preventing any further access to the information on our systems.
The responsible use of personal information is not negotiable at the DBSA and we regret that the Incident has occurred. We are also undertaking a review of our technical and organisational controls to minimise the risk of an incident of this nature from occurring in the future. In addition, we will continue to follow generally accepted industry practices to prevent the reoccurrence of similar incidents.
Mitigation measures to be taken by Stakeholders
As the above measures have been implemented to mitigate the possible adverse consequences of the Incident, the DBSA is of the view that there is no need, at present, for additional measures to be taken by stakeholders. However, given the nature of the personal information and the Incident, we suggest that stakeholders nonetheless remain vigilant and mindful that their personal information may have been (or will be) published and take all reasonable measures to minimise their risk as a result thereof.
Please do not hesitate to contact us at popia@dbsa.org, in the event that you require any further information concerning the Incident.