A trove of data containing the personal information of more than 60 million South African citizens has been breached in the biggest data breach to hit South Africa. The breach was discovered by security researcher and creator of Have I Been Pwned, Troy Hunt.
In a blog post released by Hunt, he documents the discovery of the 27GB file and how the breached database contained at least 60 million records – a number higher than the country’s population (an estimated 56 million), meaning that the database contains files on both alive and deceased citizens.
The date of the database file indicates that the breach occurred in March 2017, however the information itself is dated back to the early 1990s. It’s quite clear that this breach has put millions of people at risk of identity theft, as the breached information includes citizen’s full names, identity numbers, gender, employment history, income, addresses and property ownership.
Some bloggers have pointed out that the source of this information may be governmental or a commercial entity (such as a bank), however the database is currently said to be linked to Jigsaw Holdings, a property company.
Jigsaw’s domain is owned by a man called Hano Jacobs, who also owns the domain belonging to GoVault, advertised as a “the goldmine of information offers easy access to the contact details of South African consumers and homeowners”. It is also known that GoVault is connected to Dracore Data Sciences, a South African data firm. Dracore Data Science’s CEO has since confirmed that her company is not responsible for the leak in a podcast released on Friday.
As the investigation continues, this is still a developing story.
Just a few months ago, the personal data of 143 million Americans was exposed following a data breach at Equifax, a credit-reporting agency and sadly, the words “data breach” have become all too common for so many people around the world.
When it comes to how data is handled today, it’s hard for me not to think of the GDPR (with its deadline looming) and how, even though it applies to organizations in or who deal with EU data, its new rules can shape how data breaches are handled in the future. Just as an example, organizations under the GDPR are required to designate a Data Protection Officer (DPO) to ensure the organization complies with the regulation and to implement the policies and procedures required to manage data outsourcing and processing activities. A DPO alone could perhaps be enough to prevent a situation like what is happening now in South Africa, as even if a data breach would still occur, the breach itself would be detected, handled, and dealt with in a smoother way.
As these larger-scale data breaches are becoming more common, I hope that the example provided by the GDPR will inspire other regions to take action to prevent the exposure of their citizen’s private data.
What are your thoughts on the current breaches? Tweet us or let us know in a comment.