[BreachExchange] Top real estate company admits to being unwitting source of country’s largest personal data breach

Thu Oct 19 00:41:36 EDT 2017

https://www.timeslive.co.za/news/south-africa/2017-10-18-top-real-estate-company-admits-to-being-unwitting-source-of-countrys-largest-personal-data-breach/

One of South Africa’s top real estate companies has admitted to being
the unwitting source of the largest known personal data breach to date
in the country.

TimesLIVE has also ascertained that the dump of personal information —
estimated at 31.6 million records — includes the estimated income‚
addresses and cellphone numbers of the likes of President Jacob Zuma‚
Finance Minister Malusi Gigaba and Police Minister Fikile Mbalula.

The information originated from Jigsaw Holdings which includes Aida‚
ERA and Realty-1.

Aida CEO Braam de Jager said they had “absolutely no idea” how the
information was published on their server before it was removed on
Wednesday afternoon.

“As I am speaking to you now‚ I have called in forensic guys into my
office that are busy investigating all of these things right now‚” he
said.

De Jager said the information‚ which was available for download until
Wednesday morning‚ was bought from credit bureau Dracore in 2014.

The information contains amongst other things the ID numbers‚ age‚
location‚ marital status‚ occupation‚ estimated income‚ physical
address and cellphone numbers of millions of South Africans.

De Jager said they bought the information to track down potential
clients who might want to sell their houses.

“If we arrive at house and a tenant tells us that he knows the owner
wants to sell the house‚ we ask them who the owner is. They often do
not know who the owner is. We then go and extract that specific
property’s information based on the address to get the owner’s
information.”

Dracore CEO Chantelle Fraser said they were not responsible for
publishing the information and had no kowledge of how external
companies used the information.

The personal information that was published could be used for crimes
like identity theft.

Dr Jabu Mtsweni‚ cybersecurity expert at the Council for Scientific
and Industrial Research (CSIR) said this information could also be
sold on the internet to the highest bidder.

“People who want to clone my identity. They don’t necessarily need my
ID number. I don’t need to lose my ID number … This information can
also be used by criminals to actually try and authenticate themselves
as yourself over the phone.”

Professor Basie von Solms‚ director of the Centre for Cyber Security
at the University of Johannesburg‚ said cyber criminals could use the
information in this breach to obtain credit.

“With enough personal information‚ one can do damage to a person by
illegally opening credit accounts or make bookings. It is an extremely
big risk. The great risk is to the individual whose data has been
breached.”

South Africans were alerted to the leak by Troy Hunt‚ an Australian
web security expert‚ who first tweeted about it on Tuesday.

Hunt said “it’s crazy”‚ because it lists “almost every living person”
in South Africa.

“Every person that I have checked that sent me their ID number‚ I have
found a record for. That is very concerning.”

Von Solms noted South Africans were not out of the woods‚ because Hunt
and others could have made back-ups of the information.

Hunt received the information earlier this year‚ but he only got
around to checking it earlier this week. He often receives information
from various sources‚ because he created HaveIBeenPwnd.com‚ a website
where you can check if your information has been compromised in any
data breaches against about 4.8 billion records.“Fortunately these are
people [sharing the information] who have a very ethical intent.”