Posted on October 19, 2017 at 12:11 PM
The leaked file was over 27GB and contained over 33 million records of South Africa citizen’s personal information.
At least 30 million South African citizens’ personal information was leaked online in the recent and biggest data breach to ever affect the country.
The records leaked online stretched as far back as the 1990s and included highly sensitive information including ID number, names, gender, marital status, income status, company, titles, employment information, as well property ownership details. The files leaked contained information of both living and deceased citizens.
The massive cache, called “MasterDeeds” is 27GB, and is upon closer inspection, seems to be linked to victims’ home ownership registration. Initially, security experts believed the files to be linked to the government.
The data leak was first discovered and reported by founder and CEO of the tech and media website iAfrikan, Tefo Mohapi.
Since its discovery, the leaked files have been loaded onto the data breach notification platform, Have I Been Pwned. The popular website has one the largest compromised data databases and is maintained by the security researcher, Troy Hunt.
According to Hunt, more than 30 million leaked records were entered into the database. He stated, via his Twitter account, that the files have been available online since April 2015. These files might have been exposed since this time.
Closer investigation has since confirmed that this massive horde of information is linked to a company, Jigsaw Holdings Ltd. The company owned domains registered to an individual by the name of Hano Jacobs. A particular domain, govault.co.za, that was linked to Jacobs, also has ties to a Johannesburg-based company Dracore Data Sciences.
GoVault’s website advertises itself as a “goldmine” of information which offers its services specifically to real estate firms around the country. The website stated that it offers easy access to the contact details and information of South African consumers and homeowners.
Since the breach discovery, Jacobs’ Twitter profile has been removed. Previously, however, the profile contained a direct link to realty1ipg.co.za, a South African real estate agency, and previous Dracore Data Services client.
Dracore Data Services has released a statement via their website which addressed the data breach. The statement claims that Jacobs has confirmed that the source of the data leak was a compromised Jigsaw Holdings server.
According to CEO of Dracore Data Sciences, Chantelle Fraser, the company has concluded that they did not play any part in causing the data leak. Fraser has also confirmed that the scope of the data breach will be significant.
So far, the exact nature of the relationship between Dracore Data Sciences and Jigsaw Holdings remain unclear.
Concerned South African have been advised to check whether their personal data has been exposed via the Have I Been Pwned site. According to Hunt, the database contained only 2.2 million email addresses, but the entire database contains well over 30 million leaked identities.
Hunt stated in a tweet that he will not load government-issued IDs onto the site, as these are too personal to be online and should be carefully guarded.
Hunt continued to express his hope that the responsible party will be swift in removing the data, be accountable and notify all affected citizens. He cautioned users to refer from blaming this on hackers, as it was clearly a company or business which blatantly uploaded sensitive data on the internet.
Considering South Africa’s population of 56 million people, this breach affects more than half of the population.