What you need to know about SA’s biggest data breach: be very annoyed
Have your personal details been compromised in what has been called SA’s biggest ever data leak?
Last week, SA social media circles and news outlets sounded the klaxon on a major data breach that contained the personal identity details of a large portion of the country’s residents. Here’s what you need to know:
Earlier this year, someone (reportedly Twitter user @s7nsins) found a large file containing personal information on an open web server.
"It had been published there, and then the server was configured to allow directory browsing ... anyone with a web browser could go to that address and see all the files hosted on the site," writes information security expert Troy Hunt.
The Twitter user shared this file with Hunt who, for various reasons, didn’t deal with the matter for half a year. When he started digging into it last week, he quickly realised what he had in his possession, and called on his SA Twitter followers to help him identify the source.
Hunt was contacted by tech content producer Tefo Mohapi, who runs the iAfrikan blog and has written articles about the breach and its possible sources.
The breach has been covered in depth by local media since then.
Who is Troy Hunt?
Hunt runs a service called Have I Been Pwned? (haveibeenpwned.com), which allows people to search by user name or e-mail to see if their accounts have been affected by various data breaches.
What’s in the file?
The restored "Master deeds" MySQL database had more than 66m rows with unique SA official ID numbers, explains Hunt. This included information of people both dead and alive (hence the larger-than-population figure), and identity attributes such as names, e-mails, addresses, ethnicities, genders and more.
According to Hunt, there were "only 2.2m e-mail addresses but tens of millions of identities in the source database", making the breach "one of the worst [he has] ever seen on many levels".
Was this a hack?
No. It is important to note that this file was not hacked by an Internet "bogeyman", but was made available through a huge oversight.
Who is responsible?
At the time of writing his blog posts, Mohapi speculated that the data may have come from a credit bureau or data aggregator. He did some digging and reached out to Dracore Data Sciences to enquire if the company was the source.
Dracore denied this, and Mohapi has captured a back-and-forth conversation with the company on his blog.
This prompted several further news articles querying the source and Dracore’s connection, leading Dracore CEO Chantelle Fraser
to write: "We conclusively know that we are not the source of the data leak."
Since then, real estate company Aida (part of the Jigsaw group) has been identified as the source of the file. It reportedly purchased this database from Dracore in 2014, but told journalists it has no idea why the file was on a public-facing server, and is awaiting a forensic report on the matter.
Are your details safe?
The database is large, and includes info of a wide range of people (even children). What is remarkable is the range and depth of information included. The original source has been taken down, but the file was accessible for at least seven months (possibly for more than two years), and we do not know who gained accessed to it during that time.
What can you do about it?
The short answer is that nothing can be done to "take back" the info.
The longer answer is that you will probably have to exercise extra vigilance around the use of your identity details, especially as these can be used to apply for credit in your name.
Having said that, credit companies are obliged to take certain identity verification steps (such as requesting copies of documents), so having access to your ID number, for example, doesn’t give someone free rein to "make it rain" in your name.
Consumers are legally entitled to a free credit report annually from each of the credit bureaus, and there are five that list consumer information. These will list enquiries made and accounts opened in your name, so enquiries from companies you have not interacted with might indicate identity fraud.