Picture: SUPPLIED
Picture: SUPPLIED

Sensitive personal information about nearly one-million people who pay traffic fines online in SA has been leaked publicly.

The data leak of 934,000 records includes identity numbers‚ e-mail addresses‚ full names and passwords.

After some detective work, Australian cyber security researcher Troy Hunt along with Tefo Mohapi from iAfrikan discovered that the "data was backed up or posted publicly by one of the companies responsible for traffic fines online payments in SA".

The leak does not affect all licensed drivers; only those who have registered to pay traffic fines online using one or more of the sites that provide the service. People who have registered to pay traffic fines online were urged to change their passwords.

"This is yet another reminder of how far our data can spread without our knowledge. In this case‚ in particular‚ the presence of plain-text [unencrypted] passwords poses a serious risk because inevitably‚ those passwords will unlock many of the other accounts that victims of the breach use. This one incident has likely already led to multiple other breaches of online accounts due to that reuse‚" Hunt said to iAfrikan.

Hunt is founder of the website haveibeenpwned‚ which allows users to check if their personal information has been compromised online.

He said people would be able to verify if their data were included in the latest leak by visiting the site later on Thursday.

iAfrikan said it had alerted the Hawks and SA’s Information Regulator about the leak.

It was reported in late 2017 that millions of South Africans were compromised in a "data dump" that revealed their identity numbers‚ ages‚ locations‚ marital statuses‚ occupations‚ estimated incomes‚ addresses and cellphone numbers. It included personal information about prominent people including Jacob Zuma‚ Malusi Gigaba and Fikile Mbalula.

Hunt was the person who first alerted South Africans to that leak. One of SA’s top real-estate firms admitted to being the unwitting source of the data‚ hacked in what was then the largest-known personal data breach in the country.

Hunt said in a tweet that he had worked out which company the latest leak had emanated from.

Please sign in or register to comment.