25 August 2021

Data Breach Notification to Information Regulator and General Notification

Notification of Information Security Compromise

The South African Institute of Chartered Accountants (SAICA) hereby notifies you in accordance with section 22 (1) (b) and (4) of the Protection of Personal Information Act, 4 of 2013 (POPI) and all other applicable data protection laws and regulations, that there are reasonable grounds to believe that the personal information of some SAICA data subjects have been accessed or acquired by an unauthorised person.

The nature of the personal information breach

The personal information breach was in the form of various phishing emails that were intermittently sent to SAICA employees between 29 June 2021 and 8 July 2021. Six (6) SAICA employees compromised their SAICA network login details by clicking on the link within the phishing email and inserting their login details. SAICA launched an investigation, which is still ongoing, to determine the number of individuals affected by the breach as well as the categories and approximate number of information records possibly affected. The identity of the unauthorised person/s who may have accessed or acquired the personal information is unknown to SAICA.

The likely consequences of the information breach are that:

  • you may have received the phishing email, clicked on the link within the email as well as entered your login information,
  • unauthorised persons may have subsequently tried to use the login details to access your personal information or other individuals or entities personal information,
  • further phishing emails were sent to your contact lists from your mailbox, which may have given them access to more people’s information, and
  • access to your other accounts with similar login credentials may have been compromised.

Measures taken

SAICA took immediate steps to safeguard our stakeholders’ information. The six (6) SAICA employees whose login details to SAICA’s network were compromised were ordered to immediately change their passwords. As part of SAICA’s ongoing IT security measures, employees were provided with detailed information on how to recognise phishing email scams.

On 2 July 2021, SAICA issued a written notification of the security compromise to all members via email as well as to other stakeholders on its website. This communication urged members and stakeholders not to open any email with the subject line ‘Proof of Payment (POP)’ or any remittance emails sent to them from email addresses containing SAICA details or SAICA branding. SAICA advised that these emails should be deleted immediately. They were further advised that if they received such an email, and if they had already clicked on the link in one of these emails, that they immediately change their network password and inform their IT administrator.

Multi-factor authentication has also been implemented on SAICA’s network. All employees were reminded that the use of SAICA credentials on external sites are prohibited and where such has occurred, employees were ordered to change it immediately.

It is further important to note that the compromised credentials were not used to access SAICA’s main member data base and systems or applications.

As the CEO of SAICA, I personally addressed all employees regarding an increase in phishing emails since the onset of the global pandemic and reminded them that it is imperative to remain cautious and not open any suspicious emails or click on any suspicious links within emails, and should they receive any phishing emails, that they report it to the IT Department immediately.

SAICA also notified the Information Regulator (South Africa) of these information security compromises.

Additional measures going forward

Although SAICA has on a consistent basis raised awareness regarding phishing emails, further ongoing awareness, training interventions and simulation exercises to test the resilience of our processes, will be implemented for SAICA employees and members. Furthermore, all employees will be made aware of their responsibility to report such incidences immediately to their line manager, the IT Department and Information Officer.

In the meantime, SAICA will continue its investigation into this matter and take all steps available to it to institute action against the unauthorised persons once their identity is known SAICA.

We take the protection of your personal information extremely seriously and reaffirm our commitment to the processing of your personal information in accordance with the provisions of POPI and all other applicable laws and regulations.

Please do not hesitate to contact us should you require any further information at: ***@saica.co.za or ***@tip-offs.com.

Kind regards
Freeman Nomvalo
Chief Executive Officer