FlySafair data breach highlights reporting duties in South Africa

Earlier this month, various media outlets reported that personal information was exposed during the company’s annual birthday ticket sale. According to the reports, the data included the names and email addresses of FlySafair customers participating in the sale, and the information was temporarily publicly displayed due to a technical vulnerability within a chat feature that sat alongside the sales process. The airline acknowledged the incident, which it described as “limited in nature”, and has reported it to regulators, the publishers reported.

A failure to safeguard personal information, even through an honest mistake like a systems error, can trigger reporting obligations and similar risk mitigation measures and obligations in the same way as if a data breach stems from a sophisticated cyber attack.

Section 19 of South Africa’s Protection of Personal Information Act (POPIA) requires responsible parties to take appropriate, reasonable technical and organisational measures to prevent the loss of, damage to, or unauthorised access to personal information. This means that companies that receive a customer’s personal information are required to have reasonable technical and organisational safeguards in place to ensure that the customer’s personal information cannot be accessed by unauthorised third parties. This includes anticipating reasonable foreseeable risks, such as design flaws or misconfigurations, ensuring that access to personal information is properly restricted, minimised or masked in customer‑facing systems. 

The reporting obligations under POPIA do not distinguish between the need to notify a security compromise of personal information exposed through a cyber attack and personal information exposed through a design error, human error, or failure of an internal process. If personal information is accessible to persons who are not authorised to access it, the security safeguard requirement may be breached and the reporting obligation will arise, regardless of cause. 

In addition, POPIA does not require proof of misuse of personal information for the reporting obligation to arise. Instead, the duty to notify South Africa’s Information Regulator and relevant data subjects arises when there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person. The public at large may constitute an ‘unauthorised person’ as it is unlikely that the data subjects would consent to the publication of their personal information in the public domain.   

The reported incident is a reminder that POPIA compliance is not only about defending against cyber crime and malicious actors: simple mistakes can have similar regulatory consequences as a targeted attack. In practice, this means that organisations must treat the protection of personal information as a governance issue, embedded in system design and operational processes. Where safeguards fail, whether through human error or technical oversight, the consequences under POPIA still apply. 

Actions for businesses

The main takeaways are: 

• a reporting obligation trigger under POPIA is the access of personal information by an unauthorised third party, a concept that is not limited to malicious actors; 

• companies must actively protect personal information throughout its lifecycle, and this includes how information is collected, stored, accessed, shared and displayed; and 

• organisations are expected to regularly review, update and refine their internal policies and procedures to ensure that they remain appropriate as the business evolves, new technologies are adopted, and new data‑processing risks emerge.  

Co-written by Prince Rampya of Pinsent Masons.