SA’s largest data breach, and your rights

2017-11-03 06:00

SOUTH Africa experienced its largest data breach last week with tens of millions of people’s personal information leaked online.

The leaks contained over 60 million database records of dead or alive South Africans personal information including ID numbers, marital status, income, company directorships held, and previously held, employment details as well as property ownership information.

It was uncovered by Australian independent security consultant and Microsoft Regional Director Troy Hunt who said the 27GB file, which was last updated in April 2015, was sent to him in April.

Hunt reviewed it earlier this month and as he started loading the file on his laptop he first noted over 30 million records were on the file and they were of South Africans prompting his tweet asking for assistance in locating the source of the leak.

“South African followers: I have a very large breach titled “masterdeeds”. Names, genders, ethnicities, home ownership; looks gov, ideas?” he tweeted.

His tweet caught the eye of many, including tech journalist Tefo Mohapi of iAfrikan, who was working with Hunt.

Later he revealed the source might be Dracore Data Sciences, one of the country’s largest data aggregators, which also runs an online platform known as GoVault, which is, according to Dracore, a “gold mine of information, offering easy access to the contact details of South African consumers and homeowners”.

“At first glance, it is tempting to think the data was leaked from a South African government department or government-related entity like Sars.

“A closer look at the columns in the data set eliminates that, especially the fact that the “deceased_status” column doesn’t contain a deceased date,but an “alive” or “deceased” option, and narrows it down to three possible types of organisations: 1. A credit bureau, 2. A data aggregation company and 3. A digital ID/Fica repository company/startup.

“Given the size of the data and the columns, I ruled out option 3 and concentrated on the first two options,” said Mohapi in his article “What We Know So Far About South Africa’s Largest Ever Data Breach”.

Incidently, the IP address of the web server, before it was taken down was traced to a Pretoria estate company, Jigsaw Holdings, who are also former clients of Dracore.

Dracore’s CEO Chantel Fraser later published a statement

saying that the breach was not theirs although not denying former ties to Jigsaw.

“Today [October 18, the day of Mohapi’s article “Is Dracore Data Sciences Responsible For South Africa’s Largest Ever Data Leak?”] has been a really tough day for my team. I started my journey into entrepreneurship in 2013 and have always operated my business on the premise of integrity.

“We are a small business, but already submitted our credit bureau application in October 2013 to The National Credit Regulator as we wanted to be able to ensure we were always compliant with the relevant legislation that impacts the way in which data has to be stored and managed.

“Why, because we wanted to ensure that we would be able to provide good quality data enrichment solutions­ to our clients now and into the future and earn the right to be known as a reputable and reliable business our clients could deal with,” said Fraser.

The breach and the Protection of Personal Information (PoPI) Act

As Hunt explained, this large volume of South Africans’ personal information was posted on a Jigsaw web server readily available for anyone’s consumption for at least two-and-a-half years.

Local IT technician Mvumikazi Tsewu said web servers which were sometimes used by companies to back up their files were negligent and irresponsible ways of storing data.

“Anyone with an ounce of knowledge about information technology can access web servers,” said Tsewu.

Furthermore, Tsewu said questions of whether these leaks or the use of these details by Jigsaw were even legal according to PoPI needed to be examined.

According to Workpool South Africa, the purpose of the PoPI Act is to ensure that “all South African institutions conduct themselves in a responsible manner when collecting, processing, storing and sharing another entity’s personal information by holding them accountable should they abuse or compromise your personal information in any way.

PoPi stipulates the following regulations for the use of your personal information:

• when and how you choose to share your information (requires your consent).

• the type and extent of information you choose to share (must be collected for valid reasons).

• transparency and accountability on how your data will be used and notification if/when the data is compromised.

• providing you with access to your own information as well as the right to have your data removed and/or destroyed should you so wish.

• who has access to your information, i.e. there must be adequate measures and controls in place to track access and prevent unauthorised people, even within the same company, from accessing your information.

• how and where your information is stored (there must be adequate measures and controls in place to safeguard your information to protect it from theft, or being compromised).

• the integrity and continued accuracy of your information (i.e. your information must be captured correctly and once collected, the institution is responsible to maintain it).

Join the conversation!

24.com encourages commentary submitted via MyNews24. Contributions of 200 words or more will be considered for publication.

We reserve editorial discretion to decide what will be published.
Read our comments policy for guidelines on contributions.
NEXT ON NEWS24X

Inside News24

 
/News
Traffic Alerts
There are new stories on the homepage. Click here to see them.
 
English
Afrikaans
isiZulu

Hello 

Create Profile

Creating your profile will enable you to submit photos and stories to get published on News24.


Please provide a username for your profile page:

This username must be unique, cannot be edited and will be used in the URL to your profile page across the entire 24.com network.

Settings

Location Settings

News24 allows you to edit the display of certain components based on a location. If you wish to personalise the page based on your preferences, please select a location for each component and click "Submit" in order for the changes to take affect.




Facebook Sign-In

Hi News addict,

Join the News24 Community to be involved in breaking the news.

Log in with Facebook to comment and personalise news, weather and listings.