Barely a year after South Africa's largest data leak was revealed in 2017, the country has suffered yet another data leak as 934,000 personal records of South Africans have been leaked publicly online. The data includes, among others, national identity numbers (ID numbers), e-mail addresses, full names, as well as plain text passwords to what appears to be a traffic fines related online system.
Working together with Troy Hunt, an Australian Security consultant and founder of haveibeenpwned, along with an anonymous source that has been communicating with iAfrikan and Hunt, we've managed to establish that the data was backed up or posted publicly by one of the companies responsible for traffic fines online payments in South Africa.
"I have a new leak which might be worthwhile, the database leak contains 1 million records of personal information of South African citizens. Including Identity numbers, cell phone numbers, email addresses, and passwords. I am aware of the website this was leaked from,” said our source upon initial contact.
They further added that the database which contains just under 1 million personal records, was discovered on a public web server that belongs to a company that handles electronic traffic fine payments in South Africa. iAfrikan was able to view the publicly available database and, just like the 2017 data leak of 60 million personal records of South Africans, it appears to be a possible case of negligence and carelessness when handle citizens data directory listing/browsing were enabled on the directory where their "backups" were saved.
“This is yet another reminder of how far our data can spread without our knowledge. In this case, in particular, the presence of plain text passwords poses a serious risk because inevitably, those passwords will unlock many of the other accounts victims of the breach use. This one incident has likely already led to multiple other breaches of online accounts due to that reuse,” said Hunt to iAfrikan.
Online traffic fine payments
South Africa has several companies that allow and facilitate the payment of traffic fines online. These include using Internet banking with some of the banks, PayCity, ViewFines, and PoCit, to name some of them.
It is also important to highlight that the leaked database, does not represent the total population of licensed drivers in South Africa. According to data from eNATIS, at the end of March 2017, South Africa had just over 12 million licensed drivers compared to the leaked database' 934,000.
However, if you have ever registered on any system online that allows you to receive notifications and pay for traffic fines, it is best you go change your password. Also, as Hunt has indicated, you will be able to verify if your data was included in the leak from 24 May 2018 on haveibeenpwned.
The leak also comes at a time when South Africa's Information Regulator is being put under pressure to act or share feedback on recent data leaks involving South African citizens data. This also includes the data of South Africans affected by the Facebook and Cambridge Analytica saga.
"If people want to check if they were impacted, they’ll be able to do so then [starting 24 May 2018] or subscribe to the free notification service now and they’ll get an email as soon as it loads," concluded Hunt.
24 May 2018 - We have been able to confirm that South African traffic fines online payments website, ViewFines, is the source of the data leak of personal records of 934,000 South African drivers. Troy Hunt, an Australian security consultant and founder of haveibeenpwned who worked with iAfrikan in looking into the data leak, has also been able to positively identify the leaked database as belonging to ViewFines. Link
28 May 2018 - ViewFines has admitted to publishing the now leaked database relating to personal records of 934,000 South Africans, publicly online. Link
29 May 2018 - Just under a week after iAfrikan reported on the ViewFines data leak, the company has sent a warning e-mail to its users.
30 May 2018 - Here are some of the shocking things we discovered about the ViewFines website (before they shut it down). Link
Note: This is a developing story and we will be updating as new information and responses are available. We have also alerted South Africa's Hawks (cybercrime unit) as well as South Africa's Information Regulator