Top estate company source of data hack
Firm ‘has no idea’ how SA’s biggest breach of personal info happened
ONE of South Africa’s top real estate companies has admitted to being the unwitting source of the largest known personal data breach to date in the country. It has also been ascertained that the dump of personal information – estimated at 31.6 million records – includes the estimated income‚ addresses and cellphone numbers of the likes of President Jacob Zuma‚ Finance Minister Malusi Gigaba and Police Minister Fikile Mbalula.
The information originated from Jigsaw Holdings, which includes Aida‚ ERA and Realty-1.
Aida chief executive Braam de Jager said they had absolutely no idea how the information had been published on their server before it was removed yesterday afternoon.
“I have called forensic guys into my office who are busy investigating all of these things right now‚” he said.
The information‚ which was available for download until yesterday morning‚ had been bought from credit bureau Dracore in 2014, he said.
The information contains among other things the ID numbers‚ age‚ location‚ marital status‚ occupation‚ estimated income‚ physical address and cellphone numbers of millions of South Africans.
De Jager said they had bought the information to track down potential clients who might want to sell their houses.
“If we arrive at a house and a tenant tells us that he knows the owner wants to sell the house‚ we ask them who the owner is.
“They often do not know who the owner is. We then go and extract that specific property’s information based on the address to get the owner’s information.”
Dracore chief executive Chantelle Fraser said they were not responsible for publishing the information and had no knowledge of how external companies used it.
The personal information could be used for crimes like identity theft.
Council for Scientific and Industrial Research cybersecurity expert Dr Jabu Mtsweni said it could also be sold on the internet to the highest bidder.
“People who want to clone my identity don’t necessarily need my ID number.
“I don’t need to lose my ID number . . . This information can also be used by criminals to try to authenticate themselves as you over the phone.”
Professor Basie von Solms‚ director of the Centre for Cyber Security at the University of Johannesburg‚ said cyber criminals could use the information in this breach to obtain credit.
“With enough personal information‚ one can do damage to a person by illegally opening credit accounts or make bookings. It is an extremely big risk. The great risk is to the individual whose data has been breached.”
South Africans were alerted to the leak by Troy Hunt‚ an Australian web security expert‚ who tweeted about it on Tuesday.
He said “it’s crazy”‚ because it lists “almost every living person” in South Africa.
Von Solms said South Africans were not yet safe, because Hunt and others could have made back-ups of the information.
Hunt received the information earlier this year‚ but checked it only earlier this week. He often receives information from various sources‚ because he created HaveIBeenPwnd.com a website where you can check if your information has been compromised in any data breaches against about 4.8 billion records.
“Fortunately these are people [sharing the information] who have a very ethical intent.” – Additional reporting by Ernest Mabuza