Transnet Suffers Ransomware Attack, Halts Port Operations

The real world consequences of crippling cyberattacks has been demonstrated after a South African state run entity halted its operations after being attacked last week.

Transnet Port Terminals (TPT) declared force majeure on Monday following the ongoing fallout from a cyberattack last week which hit the entire Transnet group.

TPT is part of Transnet, South Africa’s state-run ports operator and freight rail monopoly, and by declaring force majeure (which is an unanticipated or uncontrollable event that releases a company from fulfilling contractual obligations), it means that the importing of goods by sea containers into South Africa has been halted.

This declaration of force majeure is a contractual clause that means Transnet has absolved itself of any liability for not being able to provide promised services to its clients due to an “act of God”.

Business Insider reported that ships are already starting to bypass South African ports and heading to neighbouring countries instead.

South Africa is the most developed economy on the African continent, but most of its state run institutions have been mired in corruption and mismanagement allegations in recent years.

Indeed, the country was rocked a couple of weeks ago by widespread rioting and looting following the jailing of former President Jacob Zuma for contempt of court for defying a court order to give evidence at an inquiry into corruption during his nine years in power.

The cyberattack reportedly took place on 22 July, and TPT initially declared it as a “disruption on its IT network”.

But during TPT’s confidential force majeure letter to its customers on Monday, the entity confirmed that it was “an act of cyberattack, security intrusion and sabotage”.

Transnet Port Terminals container terminals in the Ports of Durban, Ngqura, Port Elizabeth and Cape Town have halted the importing of containers.

Liability evasion?

The declaration of force majeure has been questioned by security experts, who said it doesn’t send out the right message to customers and looks like the entity is trying to avoid accountability.

“Claiming force majeure removes liability of a cyberattack, and this could be seen as an attempt at removing responsibility,” said Jake Moore, cybersecurity specialist at ESET. “This may be a way to shield any claims or reimbursement, but shirking accountability after originally trying to downplay the magnitude of the attack doesn’t send out the right message to customers or other organisations.”

“Companies need to be far more open in their actions as we move to a time where cyberattacks are becoming inevitable,” said Moore. “It is far more admirable to be honest from the outset and make people aware of the situation.”

“Until laws are changed to make such procedures uniform, we may continue to see organisations try to reduce their personal impact of an attack by dumbing it down, but this can make outcomes far worse down the line,” said Moore.