Data breach hits 30m South Africans

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 18 Oct 2017
The hack could expose sensitive data which would facilitate fraud, identity theft and other criminal activity.
The hack could expose sensitive data which would facilitate fraud, identity theft and other criminal activity.

The personal information of about 30 million South Africans has been compromised.

This was revealed by Australian-based IT security researcher Troy Hunt. He created the Have I been pwned? platform as a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or "pwned" in a data breach.

Following the discovery of what is potentially SA's biggest data breach, yesterday Hunt tweeted: "South African followers: I have a very large breach titled "masterdeeds". Names, genders, ethnicities, home ownership; looks gov, ideas?"

ITWeb contacted Hunt for more details about the discovery and he said the information was sent to him by a supporter of "Have I Been pwned" who found the data exposed online.

"Based on the data I've been able to process already, at least 30 million but likely much more," Hunt said in an e-mail. "It contained everything from national ID numbers to names, addresses, genders, birth dates and ethnicities."

The full list can be accessed here.

According to Hunt, the data was published to a publicly facing Web server where it was easily located.

"It's gross incompetence on behalf of the owner of the server. This seems like a case where a regulatory penalty should be imposed, but of course that won't help those who've already had their data exposed. It's enormously important that the server gets taken down ASAP."

Jon Tullett, IDC's research manager for IT services for Africa, says it appears the South African deeds registry, or a dataset very similar to it, has been leaked or hacked.

"If so, that could expose a great deal of sensitive data which would facilitate fraud, identity theft, and other criminal activity.

"Hopefully, the relevant departments will move quickly to confirm whether the data is a genuine leak, and if so, to notify everyone who was affected and advise them on options to mitigate risk. Stolen personal data often finds its way on to the open market in a matter of hours, so this is something which should be addressed as a high priority," says Tullett.

According to a recent study by IBM and the Ponemon Institute, the average cost of a data breach in SA is R32.36 million, a 12% increase since 2016. The report notes these data breaches cost companies on average R1 632 ($124) per lost or stolen record.

When compared to other markets, organisations in SA saw an average cost of a data breach at R32.36 million, have direct per capita cost of R809 and are among the markets that spend R8.07 million on post data breach response.

Earlier this year, Hunt also revealed that cinema chain Ster-Kinekor's Web site had been hacked, exposing details of up to seven million South Africans. This was arguably the country's biggest data breach at the time.

When SA's privacy law the Protection of Personal Information Act (POPIA) becomes effective, notification of data breaches will be required by law.

The South African Information Regulator has indicated the effective date for full promulgation of POPIA will likely be early 2018, following which all organisations will have one year to become compliant. Under this law, data subjects will be able to complain to the Information Regulator and it will be able to take action on behalf of data subjects.

There are dire consequences for any party being convicted of an offence in terms of POPIA. A maximum period of imprisonment of 10 years, or an undisclosed maximum fine (each fine to be determined by the relevant court on a case-by-case basis) can be levied. Furthermore, the regulator may institute administrative fines up to an amount of R10 million.