Regulator powerless to deal with latest data leak

Read time 4min 30sec
Advocate Pansy Tlakula, chairperson of the Information Regulator.
Advocate Pansy Tlakula, chairperson of the Information Regulator.

The Information Regulator is not yet fully functional and able to deal with the latest data leak that saw close to a million records of South Africans being exposed.

So said chairperson of the Information Regulator, advocate Pansy Tlakula, in a telephonic interview with ITWeb this morning.

South Africans have suffered another massive data leak which has resulted in close to a million personal records being exposed.

This was revealed by Australian-based IT security researcher Troy Hunt. He created the Have I been pwned? platform as a free resource for anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or "pwned" in a data breach.

In October last year, Hunt also uncovered SA's biggest data leak, where over 30 million records were exposed.

Unsecured database

This time, Hunt says a database containing sensitive personal information, which appears to have originated from a traffic fine platform, has been leaked.

The leaked information, numbering 934 000 records, included people's names, ID numbers, e-mail addresses and passwords stored in plain text.

"It's not clear who originally obtained it [the database], but the link I was sent was to a site that frequently hosts breached data," Hunt told ITWeb via e-mail.

"The leak likely emanated from an unsecured database or other Web site vulnerability. The data was in a CSV format which is almost certainly not how it was originally stored. Judging by the plain text passwords and lack of encryption on the Web site, it doesn't look like much was done to secure the data in the first place," he added.

"This is yet another reminder of how far our data can spread without our knowledge. In this case, in particular, the presence of plain text passwords poses a serious risk because inevitably, those passwords will unlock many of the other accounts victims of the breach use. This one incident has likely already led to multiple other breaches of online accounts due to that reuse."

Following up

Responding to ITWeb on the latest data leak, Tlakula said the Hawks and the security agencies are investigating this data leak.

"So we will be following up with them. We will also be taking up the matter to find out who is responsible for the leak to find out what exactly happened."

However, she lamented that the challenge is the Information Regulator is not yet fully functional. "So we are not able to use our powers to deal with this. We are now pushing very hard in Parliament, saying it is very important for the Information Regulator to be capacitated and become fully functional."

She noted these kinds of leaks are happening in this country because the perpetrators know there will be no consequences for breaking the law.

"This is now the third data leak affecting South Africans; there was massive leak last year that affected millions, then the recent Facebook leak, and now this one. These are occurring because there are no consequences. But we are not sitting idle. With the Facebook leak, we wrote to them and they responded to us from Ireland. We are happy that they responded quite comprehensively. Two days ago they told me they are investigating the matter."

Establishing the Information Regulator is one of the conditions set out in the Protection of Personal Information Act (POPIA). The regulator is empowered to monitor and enforce compliance by the public and private bodies in line with the provisions of both POPIA and the Promotion of Access to Information Act.

The POPIA promotes the protection of personal information by public and private bodies, and all public and private bodies will be expected to be compliant with its provisions within one year of its commencement.

Malicious actors

Brian Pinnock, cyber resilience expert at Mimecast, comments that the latest data leak is another example of how easily sensitive information can be placed in the wrong hands.

"With the General Data Protection Regulation coming into effect today, this leak is a timely reminder of the importance of adequate data protection," says Pinnock.

He points out that malicious actors who manage to get their hands on this data can use the information to conduct socially engineered impersonation attacks. With this amount of information at their disposal, hackers can send carefully crafted and legitimate looking e-mails luring citizens into sharing sensitive information or making financial transactions, he explains.

"Impersonation e-mails are becoming increasingly more sophisticated and the signs of malicious URLs or fake e-mail addresses are becoming harder to spot. Anyone who has been exposed by this breach needs to be extra cautious and on the lookout for malicious e-mails.

See also