Picture: ISTOCK
Picture: ISTOCK

In what was considered to be SA’s biggest data breach, about 30-million identity numbers and other personal and financial information had been hacked and leaked on the internet, a data security researcher said on Tuesday.

The data dump of about 27 gigabytes contained a wide range of sensitive information, including people’s 13-digit ID numbers, personal income, age, employment history, company directorships, race group, marital status, occupation, employer and previous addresses.

The data breach was uncovered by Troy Hunt, a Microsoft regional director and a Microsoft most valuable professional for developer security.

The researcher had founded the website HaveIbeenpwned.com, which alerts registered users if their details have been compromised in corporate or website hacks. Earlier in 2017 it exposed SA’s latest major data breach after  Ster-Kinekor’s website was hacked in 2016, exposing more than 6-million accounts including 1.6-million unique e-mail addresses.

Hunt posted some of the data online under headings for personal income, employment history, company directorships, age, race group, marital status, occupation, employer and previous addresses.

Other database fields include “province, township, erf number, unit number, sales price, bond amount, bond holder, title deed, transfer date, LSM [living standards measure] group, estimated income, home ownership, and directorship”.

Hunt later tweeted: “Now confirmed as legit with multiple parties.” He said “there are more than 30m [million] records so it’s massive” and “confirmed full 13 digit ID numbers (containing birth date) are present”.

Hunt speculated it might have been sourced from a government database as it included the words “master_deeds”, while other commentators said it might have been a financial institution or credit bureau.

An analyst who spoke to Hunt told Business Day his own revealed details were accurate, and appeared to be about five years old based on his income at the time and an e-mail he had not used for about five years.

“It’s legit. It’s real data. It’s not this guy making it up. It’s personally identifiable data,” said the analyst, who asked not to be named for personal privacy reasons. He thought it was data from a credit bureau because one of the fields was titled CPC (credit participation certificate) and had a numerical ranking, which he speculated was a ranking of creditworthiness.

“There is no deeds information in it. The headings are there but they are blank,” he said. Such large breaches have become a global phenomenon.

In October Yahoo revealed all 3-billion of its accounts had been exposed during a large hack in 2013. The hack of US credit agency Equifax in September resulted in 145.5-million Americans’ personal details being revealed, following the 40-million customers credit card records stolen from US retailer Target during the 2013 Christmas period.

• Shapshak is editor-in-chief and publisher of Stuff.co.za. 

Please sign in or register to comment.