DMASA database 'leaked'

Nicola Mawson
By Nicola Mawson, Contributor.
Johannesburg, 30 May 2011

Around 39 000 South Africans who signed up on the Direct Marketing Association of SA's (DMASA's) “do not contact” database are at risk of identity theft, because the list has been leaked to companies that aren't DMA members.

The database contains sensitive information such as contact details, addresses and identity numbers. It is circulated every month via e-mail to the association's 389 members. The members then cross-reference their direct marketing mail shots against it to make sure they don't contact anyone whose name is on the database.

However, the registry has allegedly been leaked outside of the DMASA's circle, putting thousands of people, who signed up to avoid direct marketing, at risk of having their identity stolen and being defrauded.

The alleged leaking of the database comes as the Department of Trade and Industry (DTI) is evaluating bids, including one from the DMASA, for the creation of a national opt-out registry. The registry will be created in terms of the Consumer Protection Act (CPA), which came into effect last month.

According to the CPA, marketers will have to cross-reference their databases against the national opt-out registry. Marketers can't contact people who have signed up on the list, as it's a violation of the CPA.


Dominic Cull, owner of Ellipsis Regulatory Solutions, has seen a cracked copy of the entire database in the possession of an entity that isn't a DMASA member. Cull says the list contains all the information an identity thief would need: identity numbers, contact details and addresses.

Another industry source has received several lines of the database in his inbox from a DMASA member, which he wouldn't name as it's against the association's rules to circulate the list outside of the organisation. However, despite the rules, the source says it's not hard to get a copy of the entire database.

However, DMASA CEO Brian Mdluli argues the database hasn't been forwarded to anyone outside of the association. He provided ITWeb with a forward-tracking report covering April and May's databases, which shows that neither the password nor the list has been “forwarded” externally via e-mail.

The list is sent out to the DMASA's 389 members as a spreadsheet each month, and a monthly password is forwarded in a separate mail, Mdluli explains. The DMA is home to about 95% of South African marketers.

Mdluli says “we track and trace every single database that we circulate to our members” and the database hasn't been forwarded externally.

Not good enough

WWW Strategy MD Steven Ambrose says tracking forwarded e-mails doesn't prevent the spreadsheet from being opened, saved as an unencrypted copy and then sent out again. It also doesn't stop someone copying and pasting the list into a new spreadsheet, he adds.

“Any form of database, once sent with a password, is fair game for the world,” says Ambrose. He points out that password-cracking software can easily be downloaded from the Internet.

“In essence, a lot of people who don't want to be harassed and have taken the time to fill in their details on an opt-out list are now at risk of having their information circulated far and wide,” notes Ambrose.

However, Mdluli says the DMASA can track down a member that leaks the registry because each of the 389 lists is seeded with false information. If the database had been leaked, it would have been by a member, he adds.

Ambrose says tracing the leak doesn't help consumers whose information has been put at risk. He explains an e-mail system is an “insecure and inefficient way of protecting people's information”.

The potential for abuse of the list is vast, as the list is a good stepping stone for an identity thief to get hold of another database and cross-reference the two, says Ambrose. This could pave the way for a thief to commit credit card fraud, he adds.

Changing tactics

Mdluli says, if the database is compromised, the DMASA will take its member to task. “We will protect the consumer.”

May was the last month the database will be e-mailed out, says Mdluli. Within the next few weeks, the DMASA will implement a file transfer protocol system that means members will have to upload queries, which will be more secure, he explains.

The DMASA has tendered to look after the national opt-out registry and has been anticipating an attack from a company tendering against it, comments Mdluli. He says, in the past few days, another association launched its own registry in opposition to the DMASA, claiming better security.

Mdluli expects to hear the outcome of the tender within about three weeks. The DTI was not immediately available this morning to indicate the tender's current status.