fbpx

Another data leak in South Africa

Rate this item
(0 votes)

Read Mia Andric's comments....

The news seems to constantly be littered with details of one massive security breach after another, and this week it was a South African company’s turn to make headlines. Sensitive personal information about nearly one million people who pay traffic fines online was leaked, with records containing identity numbers‚ e-mail addresses‚ full names and passwords.

Data leakSouth Africans have long been of the opinion that these kinds of security incidents don’t happen here to the extent that they do in other countries, but this data leak is merely the latest in a long line of breaches locally. Earlier this year, the Cambridge Analytica scandal, where nearly 87-million people's personal information was improperly shared, affected 60 000 South African users. Last year, millions of South Africans were compromised in a “data dump” that revealed their identity numbers‚ ages‚ locations‚ marital statuses‚ occupations‚ estimated incomes‚ addresses and cellphone numbers. It included personal information about prominent people including Jacob Zuma‚ Malusi Gigaba and Fikile Mbalula.

The Hawks' cybercrime unit is working with the State Security Agency (SSA) to investigate this incident, which largely looks like it was caused by negligence on the part of Viewfines. The leak was discovered by iAfrikan Digital founder Tefo Mohapi, who found a backup of the sensitive data saved in a directory which was publicly accessible.

The operations manager of the company which owns the website has said they are “implementing security measures immediately” to improve the website after being informed about the breach, but that offers no consolation to the close to 1 million people affected. This leak is potentially even more damaging than last year’s incident, as many people use the same passwords across various websites and platforms. When announcing the breach, Mohapi advised anyone who has ever registered on any system online that allows them to receive notifications and pay for traffic fines to go change all their passwords.

“The registration provides you absolute security, and access is only allowed by ID and your personal password. No other member of the public can access your outstanding offence information,” the Viewfines website states. Obviously, this is not the case.

It was precisely to prevent this kind of thing that the Government created the Protection of Personal Information Act, commonly known as PoPI. However, PoPI has not yet been put into effect, limiting Viewfines’ liability. Should this incident have occurred under PoPI, the company would be liable for millions in fines.

Those worried that they were affected by the leak can go to the Have I Been Pwned website (haveibeenpwned.com) and entering their email address into the required field. This will cross-reference the address with the database of affected accounts, and notify the individual if their details are compromised.

Image credit: Copyright: jannoon028 / 123RF Stock Photo

Published in General
back to top