Details around a security flaw in the SA National Roads Agency's (Sanral's) Web site have still not been made public, despite the agency's almost one million users potentially having had their personal details accessed.
The company tasked with running Sanral's e-toll operations - the Electronic Tolling Company (ETC) - says "the matter is currently being investigated by the country's law agencies". Until the investigation has been concluded, neither the company nor Sanral would comment on the issue.
This comes over a month after Sanral was informed of the serious security flaw, which was initially exposed at the end of 2013 by a researcher identifying himself as "Moses Thembeka" and "moe1". The researcher published an advisory and a video showing how to capture the PIN of a registered e-toll user.
The exposed data - including personal details such as telephone numbers, home addresses and registration numbers - could be used for fraud, phishing, identity theft, or even housebreaking, particularly when coupled with records of a user's driving habits.
Sanral has yet to advise users on whether their details have been exposed, or how to safeguard themselves going forward.
Privacy cracks
Meanwhile, the Opposition to Urban Tolling Alliance (Outa) has taken the matter into its own hands and compiled an extensive complaint, which it has now lodged with the Public Protector.
In the complaint, which will be made available on the alliance's Web site, Outa consultant and spokesperson John Clarke accuses Sanral of breaching human rights. Included in a list of 10 "grievances" Clarke lays out regarding the state's roads agency, are the following:
- Maladministration of the databases and mismanagement of the IT systems by failing to ensure the necessary data integrity of primary sources and clean up the system, while expecting the users to take responsibility for initiating remedies to correct the errors and problems.
- Obtaining personal information of people by violating their right to privacy.
- Discourtesy to people seeking redress and explanation for errors and problems that have arisen from internal problems.
Clarke says: "There have been three security breaches of Sanral's IT systems, but Sanral's executives continue to defend the ETC's handling of the incidents." He notes that, although ETC has patched the flaws, no apology nor letter has been sent to warn those registered to change their passwords/PIN numbers.
Sanral has condemned the researcher who uncovered the flaw that exposed user details, dubbing it "an attack on law-abiding citizens". Sanral spokesperson Vusi Mona has not answered questions as to what steps the agency will take, or what recourse users have. In a statement after the flaw came to light, Mona said Sanral was investigating the impact and the agency's priority was to secure login details.
Sanral has welcomed the fact that Outa has involved the public protector in the ongoing e-toll fight, and says it will cooperate fully with any legitimate investigation launched into e-tolling. "We hope that Outa will accept the outcome of the public protector's investigation even if it is not to their liking."
Share