This is Part 1 of a 2-part series to offer information and potential actions on the serious data breach that is now affecting almost everyone in South Africa.
As the fallout continues to cascade on the worst information and data security breach that has ever happened in South Africa, people are left stunned, angry and now looking to resources to help protect themselves and their families.
If you were unaware of the process of how this breach was discovered, you will find that as with everything, there are nuances and rabbit holes that needed to be uncovered before the full story was discovered. You can review the initial “reveal” from Troy Hunt’s blog. As an Australian-based security specialist with the title of “Microsoft Regional Director”, Hunt was given access to a huge data file that eventually proved to contain the identities of a majority of citizens in South Africa; about thirty three million, to be more exact. What began as a curiosity, especially given the intensely large size of the data set, soon exploded into a wide-eyed condition of shock.
Once he realised what he had been given, he began to take action. Initially, Troy began a validation process, alerting the security community as well as Twitter followers, people contacted him privately, send him their information to see if it was included in this data. Troy stated: “Every person that I have checked that sent me their ID number‚ I have found a record for. That is very concerning.”
The data file was freely available in an open source for anyone to access. One has to remember that when these types of files are stolen, it is usually for the purpose of selling the information. The fact that it was accessible by anyone, lends a question as to “why”?
How Long Was the Information Available?
As Troy continued his research he found that the original file was still out on the internet and available for anyone. As Troy investigated, he found not only a few companies that seemed to be involved in having the data, but also an individual that originally found the data file online who goes by the name “Flash Gordon” on Twitter. In his article, Troy states:
“Flash had found the entire 27GB file sitting on a publicly facing web server. It had literally been published there and then the server configured to allow directory browsing. What this meant is that anyone with a web browser could go to that address and see all the files hosted on the site. The Master Deeds file had a “Last modified” date of 8 April 2015; it could have been exposed since that date.
This is really alarming because it means at the absolute least, the data was left open to the public for 7 months. At worst, it was 2.5 years if we go all the way back the ‘Last modified’ date in early 2015. In fact, it could have been exposed for even longer because that’s just the date it was last changed, not when it was created and not when it was necessarily placed on that server.”
Who Did this?
While the data file has since been taken offline, there has been a series of accusations as to who actually stole the data first. Originally it was found that the company “Dracore Data Sciences” had some common headers that appeared as if they had some of the data, but it was later shown that they were not the perpetrators. To clear their name, they have their story on their website.
According to a Tech Central article: “The largest data leak recorded in South Africa has been traced to a Web server registered to a real estate company based in Pretoria. ‘Whois lookup’ information points to Jigsaw Holdings, a holding company for several real estate franchises, including Realty1, ERA and Aida. The misconfigured website had exceptionally lax security, and until recently allowed anyone with a small amount of technical knowledge to view or download any of the 75m database records held there. More than 60m of those records consisted of the personal data of South African citizens.”
Tech Central continues to explain: “It appears that Jigsaw had been using this data, which was likely sourced from credit bureaus, to provide a service to its estate agents. Presumably this was to allow the agents to vet prospects, and get contact information for leads. It is questionable whether a real estate company should be hosting this volume of information and it is unclear what the original source of the data was.”
“Da Vinci Forensics considers this breach to be one of the most serious in the history of South Africa. Our team is available to work with both everyone to assist in the process of both discovery and in the prevention steps that are required to help thwart additional identity theft conditions.”