The South African National Roads Agency (Sanral) has denied it suffered a widely-reported breach, or leaked any personal information.
ITWeb has received copies of e-mail correspondence allegedly between Sanral and an e-toll user in which the user requested clarification on the agency's security breaches and asked whether his details had been exposed.
Sanral's responses included this statement: "Please be advised that we have not received any communication with regards to a security breach, hence we have no knowledge of a breach thereof [...] Your details are safe, because we have international best practice security systems in place."
Another e-mail states: "Please be advised that your account details are safe. Note that the e-toll system has international best practice security systems in place; including protective measures to ensure that road user e-toll account details remain secure."
Sanral refused to answer queries asking it to confirm or deny the statement or its claims. The agency, which has failed to respond to several queries from ITWeb journalists in recent weeks, sent a terse message stating it will no longer respond to media queries.
The message, sent on behalf of Sanral spokesman Vusi Mona, states: "In light of your publication admitting to hacking into our system, Sanral will no longer cooperate with ITWeb as you are dealing with us in bad faith."
ITWeb, in the course of routine investigation into the previous breaches, took steps to confirm the Web site flaws existed and were vulnerable, and had ensured Sanral, and any users involved, were appropriately notified.
Aside from that tacit admission that it knew ITWeb had reported on several breaches, the suggestion it has no knowledge of a breach is a surprising U-turn. Several executives, including spokesman Vusi Mona, previously acknowledged the attacks, describing the agency as being the victim of "cyber attacks" and "deliberate exploitation".
Sanral also previously said it would take legal action in the wake of the cyber attack, but did not explain who it would seek recourse from. "Sanral is currently investigating options available to it," it said at the time.
The agency also has yet to make any move to alert users to the security breach in question. When the Protection of Personal Information Act (POPI) is enacted, such disclosure will be mandatory by law, but for the time being there is no legal requirement for an organisation to do the right thing.
"If we were having this conversation with POPI enacted, it would be very different," says cyber lawyer Paul Jacobson. "But we're not going to see POPI for at least another year or more."
Even so, the statements, if they are from a Sanral spokesperson, could raise legal concerns, he says, since the agency's claims of securing data and ensuring safe transactions could be challenged as fraudulent.
Since its Web site launched, e-tolls have been dogged by security issues, including the flaw which allowed hackers to access the full personal details of any user whose username was known or guessed by the attacker. ITWeb previously demonstrated how Sanral's site could be used to track a vehicle in real-time by looking up its licence plate in the e-toll database, and reported on a flaw which allowed attackers to hijack logged-in e-toll payment sessions to gain access to users' accounts. The beleaguered agency has also suffered denial of service attacks, as well as anthrax scares and bomb threats at its call centre.
Sanral's assertion that it has "no knowledge of a breach" is, as Jacobson describes it, "disingenuous at best".
"As if we needed any further confirmation that Sanral lives in a dream world, this astonishing response has got to take the cake," says Howard Dembovsky, national chairman of the Justice Project SA.
"To turn around and say that 'we have not received any communication with regards to a security breach' is preposterous, given the multiple and widely publicised security breaches of Sanral's systems reported in the media. At the very least, the VPC should be communicating with Sanral's spokesperson, Vusi Mona, who has been quite vocal on this matter, instead of once again engaging in disseminating untruthful information into the public domain."