[BreachExchange] Just under 1 million personal records of South Africans leaked online

Destry Winant destry at riskbasedsecurity.com
Thu May 24 01:20:53 EDT 2018


https://www.iafrikan.com/2018/05/23/just-under-1-million-personal-records-of-south-africans-leaked-online/

Barely a year after South Africa's largest data leak was revealed in
2017, the country has suffered yet another data leak as 934,000
personal records of South Africans have been leaked publicly online.
The data includes, among others, national identity numbers (ID
numbers), e-mail addresses, full names, as well as plain text
passwords to what appears to be a traffic fines related online system.

Working together with Troy Hunt, an Australian Security consultant and
founder of haveibeenpwned, along with an anonymous source that has
been communicating with iAfrikan and Hunt, we've managed to establish
that the data was backed up or posted publicly by one of the companies
responsible for traffic fines online payments in South Africa.

"I have a new leak which might be worthwhile, the database leak
contains 1 million records of personal information of South African
citizens. Including Identity numbers, cell phone numbers, email
addresses, and passwords. I am aware of the website this was leaked
from,” said our source upon initial contact.

They further added that the database which contains just under 1
million personal records, was discovered on a public web server that
belongs to a company that handles electronic traffic fine payments in
South Africa. iAfrikan was able to view the publicly available
database and, just like the 2017 data leak of 60 million personal
records of South Africans, it appears to be a possible case of
negligence and carelessness when handle citizens data directory
listing/browsing were enabled on the directory where their "backups"
were saved.

“This is yet another reminder of how far our data can spread without
our knowledge. In this case, in particular, the presence of plain text
passwords poses a serious risk because inevitably, those passwords
will unlock many of the other accounts victims of the breach use. This
one incident has likely already led to multiple other breaches of
online accounts due to that reuse,” said Hunt to iAfrikan.

Online traffic fine payments

South Africa has several companies that allow and facilitate the
payment of traffic fines online. These include using Internet banking
with some of the banks, PayCity, ViewFines, and PoCit, to name some of
them.

It is also important to highlight that the leaked database, does not
represent the total population of licensed drivers in South Africa.
According to data from eNATIS, at the end of March 2017, South Africa
had just over 12 million licensed drivers compared to the leaked
database' 934,000.

However, if you have ever registered on any system online that allows
you to receive notifications and pay for traffic fines, it is best you
go change your password. Also, as Hunt has indicated, you will be able
to verify if your data was included in the leak from 24 May 2018 on
haveibeenpwned.

Pressure

The leak also comes at a time when South Africa's Information
Regulator is being put under pressure to act or share feedback on
recent data leaks involving South African citizens data. This also
includes the data of South Africans affected by the Facebook and
Cambridge Analytica saga.

"If people want to check if they were impacted, they’ll be able to do
so then [starting 24 May 2018] or subscribe to the free notification
service now and they’ll get an email as soon as it loads," concluded
Hunt.


More information about the BreachExchange mailing list