A South African technology company, Conor, has suffered a data breach that exposed the web browsing details of over 1 million people in South Africa. This comes after an unencrypted database containing over 890 GB of  Internet browsing log data of people's online activities was discovered by security researchers on the Internet.

The database was made by vpnMentor’s research team led by their cybersecurity analysts, Noam Rotem and Ran Locar.

"The breached database contained daily logs of user activity by customers of ISPs using web filtering software built by Conor. It exposed all internet traffic and activity of these users, along with their PII data. This included highly sensitive and private activity, including pornography. Not only did Conor expose users to embarrassment by revealing such browsing activity, but they also compromised the privacy and security of people in many countries."

A screenshot of some of the logs detailing the South African users web browsing data including their usernames. Source: vpnMentor

Negligence and violation of user privacy

What is interesting about this database leak incident is that, like many other security breaches and data leaks we have reported on in South Africa, it wasn't so much that someone maliciously accessed the database but rather it was negligence that saw the database publicly available for anyone to download.

One such notable case is South Africa's largest ever data leak in 2017 that exposed the personal records of over 50 million South Africans online. In this case, a database containing the full names, addresses, national ID numbers, and more data, was left on an FTP server which was publicly accessible.

It goes without saying that this, as is the case with Conor, is a violation of user privacy. However, as I recently discussed with Murray Hunter in this podcast episode, the problem in South Africa is that the Information Regulator office is not yet fully functional and the Protection of Personal Information Act (POPIA) is not yet fully implemented. As such, companies such as Conor will suffer no consequences for their negligence as the country's data protection laws cannot yet be fully enforced.

Extensive data

Although it appears that the majority of the logs were of South African based users, vpnMentor has highlighted that they could identify logs from other telecommunication companies in Africa and as far afield as South America.

"Our team viewed data entries from numerous mobile ISPs, such as Tshimedzwa Cellular and Flickswitch in South Africa, MTN in Kenya, and others. There were also entries from South American countries, such as the following example from Bolivia,"

More importantly, is that the data that Conor's software collected was quite extensive and went beyond just Internet browsing logs.

For example, as the security researchers pointed out, some of the data which could be linked to usernames is the type of apps that were being used.

There is no denying the possible embarrassment that users will suffer should such data fall in the wrong hands. Also important, it is Conor's clients (ISPs and telecommunications companies) who will suffer most as they will receive the bulk of the negative reaction from their clients.

Share this via: