7 February 2022

Data Breach Notification to Information Regulator and General Notification

NOTIFICATION OF SECURITY COMPROMISE

The South African Institute of Chartered Accountants (SAICA) hereby notifies you in accordance with section 22 (1) (b) and (4) of the Protection of Personal Information Act, 4 of 2013 (POPI) and all other applicable data protection laws and regulations, that there are reasonable grounds to believe that the personal information of some SAICA data subjects have been accessed or acquired by an unauthorised person.

The nature of the personal information breach

The personal information breach was as a result of a SAICA Microsoft Teams meeting invitation that was sent out by a SAICA employee (the Employee) 10 September 2021 with the subject line: “SAICA – MS Teams invitation to attend a discussion forum as part of the UNISA monitoring visit 2021” to 480 (four-hundred-and-eighty) unrelated delegates (including you) to attend a discussion forum on 13 September 2021.

Complaints were received 11 and 13 September 2021 respectively from two of the delegates who advised that they do not think that it is a good idea to place 480 (four-hundred-and-eighty) delegates’ email addresses in the public domain by sending out this meeting invitation in this particular manner. The scheduled meeting proceeded 13 September 2021 of which only 72 (seventy-two) delegates attended.

SAICA launched an investigation to determine the categories and approximate number of individuals possibly affected as well as the categories and approximate number of information records possibly affected. Upon completion of this investigation, it was determined that by sending out this meeting invitation the Employee provided all delegates with access to each other’s names and email addresses, and by gaining access to this information the delegates could possibly determine the delegates employers or entity from the email domain names.

The identity of the unauthorised persons who may have accessed or acquired your personal information is known to you and SAICA as per the meeting invitation.

The likely consequences of the information breach are that:

unauthorised persons may have gained access to your personal information limited to your name, surname, and email address; and/or

make unauthorised use of your personal information.

Measures taken

The meeting invitation had subsequently been canceled and deleted. SAICA’s Information Technology Department confirmed that SAICA Microsoft Outlook and Teams application versions do not provide for limiting access to invitees’ email addresses.

SAICA has in place general data protection, retention, privacy, data ownership and data classification policies and procedures in place which governs SAICA data and information. SAICA also have in place employee codes of ethics and conduct which sets out the conduct expected from employees. These policies together with employees’ conditions of employment set out SAICA’s employee’s duties regarding the protection of information including confidentiality.

Alternative applications and processes have been determined and implemented, whereby meetings similar to this can be scheduled and hosted without delegates gaining access to each other’s email addresses going forward.

SAICA is also notifying the Information Regulator (South Africa) of this information security compromise.

Additional measures going forward

Ongoing awareness, training interventions and simulation exercises to test the resilience of SAICA’s applications and processes continue for its employees. These awareness exercises are aimed at ensuring all employees are aware of their obligations to report any information security compromises. We take the protection of your personal information extremely seriously and reaffirm our commitment to the processing of your personal information in accordance with the provisions of POPI and all other applicable laws and regulations.

Please do not hesitate to contact us should you require any further information at: InformationOfficer@saica.co.za or saica@tip-offs.com.

Yours sincerely,

Freeman Nomvalo
Chief Executive Officer / Information Officer
SAICA

Amanda De Beer Nel
PD: Ethics & Compliance, Risk & Compliance