Data breaches around the world are a regular and increasing occurrence, but to many of us, it is simply just SEP (Somebody Else’s Problem). Until now.
Troy Hunt, an Australian web security expert, was sent a massive dump of confidential information about what is arguably the entire population of South Africa. Yes, possibly the ENTIRE POPULATION.
On March 14, 2017, someone sent him a 27GB backup file of a MySQL database called “masterdeeds.sql”. This data contained fields such as Name, Surname, Home ownership, Estimated Income, Directorship, Physical and Mail addresses, Phone numbers, Email addresses, Property details, Employer details, and Identity numbers. By the time Troy had finished importing all the records into a database, he had over 60 million records. This included people marked as deceased, as well as some living abroad.
This may just be the largest breach of the PoPI ACT ever to take place. A recent large breach exposed personal data of only 44% of the US population. The Philippines Election Commission breach exposed about 50% of their population’s details. This incident represents almost 100% of South Africa.
Further investigation led to the exposure of the website holding the information. The company was Jigsaw Holdings – a holding company for several large estate agents in the country – including Aida, ERA and Realty-1. The Sunday Times reports that the CEO of Aida (Braam De Jager) is quoted as saying that he had no idea that the information, which was bought in 2014 from a credit bureau, was available on the server. He said the information was used to identify people who might want to sell their houses.
TechCentral reports that according to SensePost’s Willem Mouton, those that set up the site showed a total lack of security awareness. The findings were:
- The site’s database appeared to be vulnerable to SQL injection
- The leaked credentials had full owner access to the database
- The leaked credentials had full administrator access to all the databases on the server
- The credentials used were leaked via error messages
- The leaked credentials were re-used
Moreover, according to Mouton, nobody noticed large amounts of data leaving the network.
Unfortunately, all this information is out in the open, and can therefore be used for identity theft. Typical cases include the opening of bank accounts, to obtain mobile phones, and to conduct a broad array of other transactions. The country’s entire identity verification system has been exposed.
One of the more extreme measures to secure the system again is to redesign and re-issue all the identity numbers, but this will force people to re-identify themselves at every point where they need to do sensitive business. Chances are, however, that the government will do nothing, forcing every individual to be extra vigilent.
In this regard, Manie van Schalkwyk of the South African Fraud Prevention Service has the following tips:
“Do not attempt to verify your details in the database through uncertified third-parties. Rather, get your credit report from a credit bureau and check for suspicious transactions. If you find anything, apply for Protective Registration free of charge on the the SAFPS website.” This will allow banks and credit providers to be notified that your ID number has been compromised.