Hawks, SSA probing major 'leak' of personal data of SA drivers who use ViewFines

2018-05-24 22:00

(iStock) (iStock)

Multimedia   ·   User Galleries   ·   News in Pictures Send us your pictures  ·  Send us your stories

The Hawks' cybercrime unit is working with the State Security Agency (SSA) to investigate reports of a major data leak that is said to affect almost a million South African drivers who used a local website, ViewFines, to check for traffic fines.

The operations manager of the company which owns the website, has also confirmed they are "implementing security measures immediately" to improve the website after being informed about the breach.

The personal records of more than 934 000 people, including their ID numbers, were apparently leaked online, according to a website by Troy Hunt, Australian security researcher and creator of the free service Have I Been Pwned.

His website allows people to check if their personal information has been compromised in a data breach.

He worked with iAfrikan to locate the source of the data.

Hawks spokesperson, Brigadier Hangwani Mulaudzi, said on Thursday evening that they picked up the issue on Wednesday and had already done a preliminary investigation, although they could not confirm anything yet.

ALSO READ: Roughly 1 million SA personal records - including ID numbers - have been leaked online. Here's how to check if it's yours

He said investigators were meeting with the SSA on Friday to determine what had transpired, how it happened and who was responsible.

The ViewFines website describes itself as a free service to the public to access all outstanding offences issued by its listed municipalities, which were registered against ID numbers.

"The registration provides you absolute security, and access is only allowed by ID and your personal password. No other member of the public can access your outstanding offence information," the website states.

But iAfrikan reported that the user passwords for the ViewFines website were stored in plaintext.

Aggregated Payment System (Pty) Ltd (APS), which owns ViewFines, lists on its LinkedIn profile the major services providers it is contracted with, including First National Bank, ABSA, Standard Bank and the SA Post Office.

APS operations manager Stephen Birkholtz told News24 that they started investigating on Thursday morning after they were informed about a breach.

READ: What does the law have to say about data leaks?

He said the ViewFines website has always had an SSL certificate, which enables encrypted communication, from inception.

"Our certificate was expiring in July and we installed a new one on the 8th [of] May," he said in response to emailed questions.

According to Hunt's investigation, however, the certificate that was issued on May 8 was revoked three days later and the reason stated was 'cessationOfOperation'.

When asked why passwords were stored in plain text, Birkholtz said: "When the website was designed in 2006, the security was sufficient."

"As soon as we realised that there might [have] been a leak, all passwords on the system were changed. We are also busy with the encryption on all passwords."

He said the website was still operational.

"There are no credit card, bank details or addresses stored on www.viewfines.co.za as we do not do any payments. We only inform the public of where they can pay their traffic fines."

Read more on:    hawks  |  cyber crime

Inside News24

Traffic Alerts
There are new stories on the homepage. Click here to see them.


Create Profile

Creating your profile will enable you to submit photos and stories to get published on News24.

Please provide a username for your profile page:

This username must be unique, cannot be edited and will be used in the URL to your profile page across the entire 24.com network.