In what is arguably South Africa's largest-ever data leak involving the personal records of 60,323,827 South Africans (alive or dead) being made available publicly online, more questions have been raised as it has also been revealed that 19% of the records in the dataset are those of children. This revelation along with concerns around identity theft resulting from the leak saw us, iAfrikan, reach out to TransUnion Africa (TransUnion).
TransUnion is one of South Africa's largest credit bureaux and on 24 October 2017, they announced the availability of a free solution for consumers which will alert them as soon as there is a unauthorized change or discrepancy on their credit record.
Lee Naik, CEO at TransUnion Africa.
"As you may be aware this matter is subject to investigation by the National Credit Regulator (NCR) and as with any investigation of this nature, we need to ensure we maintain our confidentiality obligations to the parties involved. We take the protection of consumer information extremely seriously and will continue to work closely with the National Credit Regulator on their investigations," said Lee Naik, CEO at TransUnion Africa, in an e-mail to iAfrikan.
During iAfrikan's initial investigations into the data leak, we discovered that TransUnion has a relationship with Dracore Data Sciences (Dracore). This was further confirmed in a letter sent to us on 18 October 2017 by K Jordaan And Associates. Inc (on behalf of Dracore), where it is stated that "our client's account with Transunion has been suspended pending a formal investigation to be launched."
We thus posed the question to Naik on whether Transunion is a Dracore client or if they work together.
"Dracore is a TransUnion Channel Partner." explained Naik.
"We have not terminated our Channel Partner agreement with Dracore Data Sciences. At the instruction of the NCR, we have however temporarily suspended all services to Dracore pending the outcome of the NCR’s investigation."
Excerpt from a letter sent by K Jordaan & Associates. Inc on behalf of Dracore Data Sciences (Pty) Ltd.
Given that the NCR and various South African law enforcement agencies are involved in the investigation, it is important, as Naik also emphasized, that certain confidential information is not disclosed at this stage. Such information would also include details of the nature of the relationship between TransUnion and Dracore.
But, what of the millions of children's records in the dataset?
"No credit bureau in South Africa, including TransUnion, is allowed to store data on minors," said Naik.
This is an important and possibly critical point. In a statement dated 22 October 2017, Chantelle Fraser (CEO at Dracore) states that the "reason why we work with child data is because we must do household income verification for the Universities. Please note that when a student applies for government funding, Blade Nzimande, made a ruling that no student where their household income exceeds R600 000 per annum can get government funding. We do this work for all Universities through PURCO the purchasing consortium for higher education institutions."
Excerpt from a statement by Dracore Data Sciences (Pty) Ltd's CEO, Chantelle Fraser on 25 October 2017.
That explanation, if in fact correct, does not explain why records of children as young as 3 years old, who definitely don't qualify for university, made their way into a dataset that Fraser has now confirmed they helped enrich or collect.
In a country where abuse and violent crimes are among the top crimes, it is worrying that addresses of where children live were not only leaked publicly but are being collected, for what purpose, no one knows. Another big threat posed by the data leak is identity theft.
"A data breach does not necessarily result in identity theft, but there are a number of precautions you can take if you suspect you have been part of a data breach, or at any time you have reason to be concerned about your identity security," explained Naik.
According to Naik, TransUnion encourages all South African consumers to protect their credit profile by taking advantage of their free alerts service which they launched, as a result, this breach.
"Once activated, the free Alerts service will monitor the consumer’s profile until the end of January 2018. The Alerts service provides a consumer updates via SMS or email on critical changes to their credit profile.I would also recommend registering lost or stolen identity documents and/or passports with the South African Fraud Prevention Services. You can also report suspected fraud to the SAFPS helpline on 0860 101 248."
Between the National Credit Act, Consumer Protection Act, Electronic Communications and Transactions and the not yet fully implemented Protection of Personal Information Act, South Africa has several laws that govern the collection of personal information.
"There are various Acts that govern consumer data in South Africa. All businesses that manage or store data need to act within the regulatory framework applicable to the type of data they manage. With the implementation of POPIA next year, we will see an increased focus on how consumer data is managed across all businesses and industries," concluded Naik.
18 October 2017: What We Know So Far About South Africa's Largest Ever Data Breach
Cover Image Credit: dhk.