The data breach was exposed by Australian-based IT security researcher Troy Hunt who says the data was published to a publicly facing Web server where it was easily located.
The data contained everything from national ID numbers to names, addresses, genders, birth dates and ethnicities, says Hunt.
"The regulator intends to inquire from the concerned bureaus whether the allegations are true or known to the bureaus or not."
Establishing the Information Regulator is one of the conditions set out in the Protection of Personal Information Act (POPIA). The Information Regulator functions in accordance with the POPI Act and the Promotion of Access to Information Act.
According to Tlakula, despite the fact that not all the provisions of the Protection of Personal Information Act 4 of 2013 have commenced, the regulator has decided to adopt a proactive approach in respect of all the complaints it has received.
The complaints are referred to responsible parties who are requested to investigate, take corrective action, where necessary and inform the Regulator accordingly, she notes.
"The regulator will follow the same approach in respect of the allegations of data breach, which the regulator regards as extremely serious, if true."
The source of the data breach is still unclear, with several reports pointing to different South African organisations. Amid the confusion, there have been threats of litigation by some companies which have so far been blamed for the breach.