October 19, 2017

Have you been hacked?

All was well in our online Rainbow Nation until 17 October 2017, when an Australian security researcher, Troy Hunt, tweeted the following to his South African followers

I have a very large breach titled “masterdeeds”. Names, genders, ethnicities, home ownership; looks gov, ideas?

Yip, this is the real deal! Allegedly about 30 million of South Africans’ identity numbers and other personal / financial information (all the information cyber criminals need to commit identity theft) since at the very latest March this year, had been hacked and leaked on the internet.

Hunt, who is also the creator of the website HaveIbeenpwned.com (which is a website that alerts registered users that their details have been comprised) uncovered this breach and discovered a dump of about 27 gigabytes (this is like in seriously a lot!) of information of South Africans.

Hunt stated the following :

  1. The breach was genuine;
  2. He has not seen it offered for sale to date, but that “it is definitely floating around between traders” (this is the really scary part for me);
  3. The data includes information from as far back as the early 1990’s;
  4. The database contained names of people, full identity numbers, gender, ethnicity, property ownership, employment and contact information;
  5. He speculates that the headers indicate that his dump occurred in March 2017, but it could have happened earlier; and
  6. It is suspected that the data may have been sourced from a government database, but this is not conclusive and could very well have been sourced from a bank or a credit bureau.

Hunt is on the hunt for the identity of the source of the data, and once he is successful he will upload the information to his HaveIbeenPwned site.

According to data security researchers, this is SA’s biggest data breach ever.

Earlier this year, Hunt also exposed the hacking of Ster-Kinekor’s web site which caused up to 7 million South Africans’ details being compromised.

South African legislation pertaining to data protection and privacy is currently awaiting implementation.

When the Protection of Personal Information Act (POPIA) becomes effective – which will most likely be early 2018 – notification of data breaches will be required by law.  From then, all organisations will have 1 year to become compliant with POPIA. As such, only after the first year of implementation of POPIA will organisations / companies be forced to notify us of any data breach.

POPIA’s objectives are to safeguard our constitutional right to privacy and to restrict the unauthorised access to information regarding any individual’s educational, medical, financial, criminal or employment history, as well as personal details such as ID numbers, contact details and physical addresses.

The consequences for any person being convicted of an offence in contravention of POPIA include a maximum sentence of 10 years imprisonment or an undisclosed maximum fine (the regulator may institute administrative fines of up to R10 million).

With the 27 gigabytes of personal information of the approximate 30 million South Africans currently sitting out there waiting to be used, it remains to be seen whether the relief POPIA may bring, will be a little too late!

Author: Almie Fourie

Robin Twaddle & Associates ©2017, All rights reserved. - Disclaimer