What we know so far about South Africa's largest ever data breach

South Africa has suffered its largest data breach as millions of personal records of anyone, dead or alive, with a South African ID number (13 digit identity number) have been leaked on the Internet. This was first revealed by security consultant and researcher, Troy Hunt, on 17 October 2017.

Hunt is also the founder of have i been pwned?, an online service which allows you to check if you have an account, e-mail address or username, that has been compromised in any data breach across the world.

"I typically receive many files relating to data breaches daily but what struck me about this one was that it was 27GB in size," explained Hunt to iAfrikan on a call.

The data, sent to Hunt in a file titled masterdeeds.sql, contains information ranging from ID number, marital status, income, company directorships held (and previously held), employment details as well as property ownership information. What is important to note is that this is for both deceased and alive people in South Africa.


Columns in the dataset. | Pastebin

Everything

"I ran the import into MySQL and after several hours it was still not done importing and I had to stop it because I needed to leave," explained Hunt.

At the time Hunt stopped the import, it had imported approximately 30 million unique records into the MySQL database. Considering that the file contains data on deceased people too, it is likely it contains far more than 30 million unique South African records. More so when you take into account that the personal records contained in the file seem to, at a minimum, date back to the late 1990s. I say at a minimum because based on a query using my South African ID number, it had employment details of my first ever job as an intern in 1998 (contact details too)!

Hunt also confirmed that the dataset only contains 2,257,930 unique e-mail adresses. A small percentage compared to the total unique records in the dataset. This makes sense considering possibly that the majority of those in South Africa do not necessarily have an e-mail address.

This alone makes it a dream for someone or a group of people who trade in identity theft because they not only have your ID number and contact details but your income information too. Making the job of identity thieves, should they get ahold of the data, quite a breeze.

Who Was Hacked?

At first glance, it is tempting to think that the data was leaked from a South African government department or government-related entity like SARS (South African Revenue Services). A closer look at the columns in the dataset eliminates that, especially the fact that the DECEASED_STATUS column doesn't contain a deceased date but an "alive" or "deceased" option, and narrows it down to three possible types of organizations:

  1. A credit bureau
  2. A data aggregation company
  3. A digital ID/FICA repository company/startup

Given the size of the data and the columns, I ruled out option 3 and concentrated on the first two options.

This is where it starts to get interesting.

Possibly the largest, among the top 4, credit bureau (and used by some of the largest retailers and financial institutions in South Africa) in South Africa is TransUnion. More interesting, it appears that TransUnion is a client of one of South Africa's larger data aggregators, Dracore Data Sciences. Dracore's website suggests that they provide TransUnion with the ability to verify peoples data for the purposes of compiling credit reports.

Screenshot from Dracore's website
Screenshot from Dracore's website.

TransUnion is not the only client Dracore has. The data company also runs an online platform known as GoVault which is (according to Dracore) a "goldmine of information offers easy access to the contact details of South African consumers and homeowners."

At this point I need to emphasize and state on the record that I am in no way saying that, conclusively, Dracore were the victims of a data breach. I am merely sharing what transpired as I looked into the data breach (and yes, all my rights and those of iAfrikan are reserved).

"Escalating This Matter To Our Legal Counsel"

Logically, my first port of call is to contact Dracore. After three telephone calls, several WhatsApp chats and being asked "Who are you?" (several times) I shared the columns as per Hunt's upload on Pastebin with one of the staff at Dracore. Immediately after sharing it, I was informed that I would have to contact Dracore's CEO, Chantelle Fraser, via e-mail.

I obliged and e-mailed Fraser.

"We have looked at the table on the image you sent through and just by looking at one of the attributes we can see that this is a MySQL database. Please refer to ENGINE=InnoDB on Google. On this basis, I confirm this is not from GoVault or any Dracore database. Dracore does not run MySQL databases on Production, Testing or Development." said Fraser in an e-mail.

Fair enough, I thought as I read that part of the e-mail. I just have to scratch Dracore off the list of possible companies that suffered a data breach (or perhaps of their clients got hacked?).

"Please note that Dracore does not have a table called master__deeds in any of our databases. Please note that in your email below you say “Internet and some investigation suggests that it could be from GoVault”. Please note that we take these allegations very seriously and kindly request that you share your investigation findings as we will be escalating this matter to our legal counsel," the e-mail from Fraser continued.

🤔

Correct, I said that. Keyword = suggests.

Nonetheless, Fraser further responded saying that she would check and confirm with their clients tomorrow (18 October 2017) whether any of them suffered a data breach or were hacked. We are also in the process of getting feedback from other data aggregators to check if they perhaps suffered a data breach.

NB!

It's important to re-empasize that we are talking about tens of millions of personal records and that the data is real and it exists.

As Hunt confirmed to iAfrikan, he doesn't know who the source of the data sent to him is, but more importantly is that the breach happened, the data has been leaked and given the information it contains, it is also likely that it is being traded somewhere. What is important at this stage is that whoever knows or even suspects that their data was breached needs to make a public announcement so that anyone affected can be alert and take precautionary measures, if any are possible, to avoid identity theft.

They also need a security audit of their systems, urgently!

About a month ago the US suffered one of its largest data leaks as 143 million social security numbers of Americans were exposed in a hack.

Do you have any more information on this data breach?

What are your thoughts?

Get in touch, tweet us or comment below.

Update

Comments