This is Part 2 of a 2-part series to offer information and potential actions on the serious data breach that is now affecting almost everyone in South Africa.
As the fallout continues to cascade on the worst information and data security breach that has ever happened in South Africa, people are left stunned, angry and now looking to resources to help protect themselves and their families.
If you were unaware of the process of how this breach was discovered, you will find that as with everything, there are nuances and rabbit holes that needed to be uncovered before the full story was discovered. You can review the initial “reveal” from Troy Hunt’s blog. As an Australian-based security specialist with the title of “Microsoft Regional Director”, Hunt was given access to a huge data file that eventually proved to contain the identities of a majority of citizens in South Africa; about thirty three million, to be more exact. What began as a curiosity, especially given the intensely large size of the data set, soon exploded into a wide-eyed condition of shock.
What Data Was Shared?
In an interview, Hunt was very specific on the contents of the breached file known as “masterdeeds.sql”. Hunt stated: “The data included extensive personal attributes such as names, addresses, ethnicities, genders, birth dates, government-issued personal identification numbers, and 2.2 million email addresses.” However, the file also contained information on job titles, cell phone numbers, home ownership status, estimated monthly income and living standard measures. Each of these pieces of information can be used by cybercriminals for such things as applying for a home loan, credit cards, etc.
What really needs to be emphasised is that the data didn’t just relate to adults, it also included information for children and this takes things to a whole new level. It’s one thing to have to be concerned about your own data being breached, but now it has become a requirement to include protection for your children. This incorporates totally new behaviour that most people are not accustomed to as keeping tabs on the personal identities of children is typically not a consideration.
For adults and children alike, the fact that the government issued ID’s have been included is one that is cause for major alarm. These ID’s are part of the personal security level, similar to the way that social security numbers are allocated in the U.S. What many may not be aware of is that the SA government issued ID contains your personal info in the number itself. If you want to see how that is done you can go to the Decoding Your South African ID Number site.
What You Can Do; Step 1:
Troy has set up a segment on his own website haveibeenpwned.com for individuals to check to see if their emails or usernames have been included as part of the breach. You can click here to begin your first step to see if your information was included in the breach. It should be noted that Troy has not included any of the government issued ID’s as part of the information posted on his site.
What You Can Do; Step 2:
Identity theft at such a large scale needs to be taken very seriously. Each individual is going to be required to be proactive at levels that they have never before considered.
As part of our programs to help citizens and companies, DaVinci Forensics has published a 2-part series on identity theft entitled:
Read through each of these articles to get a real grasp of how thorough everyone needs to be with their own identity as well as that of their children.
How Could This Happen?
Anyone that has been a victim of identity theft always asks the same question: “How”?
In a TechCentral article they offer a bit of an explanation: “Poor information control, as in this case, is one of the reasons for the introduction of the Protection of Personal Information (Popi) Act. And, had the act been fully implemented, a negligent company could be liable to up to R10m in fines and negligent company officers jailed for up to 10 years. The ramifications of this breach probably won’t be as dire. Anyone who suffers damages due to the release of the data would have to sue for damages under common law, something that is quite difficult and complex to do.”
“Chris Basson, from Eighty20 business consultancy, put it like this: ‘Without making too many assumptions, we can say that the people responsible for building a solution which provides such uncontested access to personal information, had no business having the data in the first place.’”
“As security specialists, Da Vinci Forensics continues our vigilance in getting-the-word-out to both private citizens and businesses in the many methods that are required to protect yourselves against cyber hacking and identity theft. We are available to assist anyone that may have questions as well as a desire to pursue additional steps needed for the protection of personal and proprietary data.”