ViewFines admits to leak as investigations intensify

In a conversation with iAfrikan last week, ViewFines' Stephen Birkholtz stated that it was their database that was leaked. This came after an iAfrikan investigation, in collaboration with security consultant, Troy Hunt, revealed and confirmed independently that it was indeed ViewFines' user database that was leaked.

Added to this, Birkholtz also explained how those who leaked the database could've possibly gotten hold of it.

"We were doing some changes on the website and we backed up the database to a [public] directory on the website. It was only there for 12 hours," said Birkholtz.

This confirmed iAfrikan's initial report and investigation that the file was on a publicly viewable folder on the Internet before it was leaked and uploaded to another public website. Furthermore, on the morning of 25 May 2018 ViewFines' took down their website and put up a note which read "Due to a data breach kindly note that the system is currently offline to implement further security protocols."

ViewFines breach note

A few hours later though, on the afternoon of 25 May 2018,ViewFines had changed the note on their website to now read "Please note that the system is currently offline while we upgrade the system with further security protocols."

ViewFines notice

More alarming though is that during our conversation with Birkholtz he accepted that it was their standard practice to store user passwords in plaintext. He added that he believed were it not for the database being leaked the passwords were "safe" as they would be "stored in a SQL database" in plaintext.

All this raises questions about how ViewFines was able to secure working relationships with several South African municipalities, the South Aftican Post Office, and others to facilitate the viewing and paying of traffic fines given their amateur information security practices.

Already, the Hawks spokesperson, Hangwani Mulaudzi, has indicated that they have escalated the ViewFines case and are working with South Africa's State Security Agency to investigate and possibly bring the case to a close as soon as possible.

The Hawks are set to meet with the State Security Agency later on Monday.


Update

  • 23 May 2018 - 934,000 personal records of South Africans have been leaked publicly online (including ID numbers). Link

  • 24 May 2018 - We have been able to confirm that South African traffic fines online payments website, ViewFines, is the source of the data leak of personal records of 934,000 South African drivers. Troy Hunt, an Australian security consultant and founder of haveibeenpwned who worked with iAfrikan in looking into the data leak, has also been able to positively identify the leaked database as belonging to ViewFines. Link

  • 29 May 2018 - Just under a week after iAfrikan reported on the ViewFines data leak, the company has sent a warning e-mail to its users.

    ViewFines Warning

  • 30 May 2018 - Here are some of the shocking things we discovered about the ViewFines website (before they shut it down). Link

  • 19 June 2018 - The ViewFines database of close to 1 million records of South African drivers has been taken down (eventually) from an anonymous file sharing site.

ViewFines Anonfile

Note: This is a developing story and we will be updating as new information and responses are available. We have also alerted South Africa's Hawks (cybercrime unit) as well as South Africa's Information Regulator

Comments