Massive data leak could be from a credit bureau

Source: Fin24, 18/10/2018

Johannesburg - The sensitive private information of 30 million South
Africans, contained in a massive data breach, appears to have been
hacked from a credit bureau.
This is according to Australian Microsoft regional director, Tory
Hunt, who exposed the leak on Twitter on Tuesday.
Hunt is also a security researcher and creator of the website
HaveIbeenpwned.com. The website allows people to check if their
personal information has been compromised.
Earlier this year the site exposed the hacking of Ster-Kinekor`s
website, which put more than six million accounts at risk, Business
Day reported.
Hunt said on Twitter on Wednesday that the data breach `is one of the
worst I`ve ever seen on many levels`. He said the file date on the
data was April 2015 and that it was unclear if it had been exposed
since then.

Hunt said the database contained names of people, their gender,
ethnicity, home ownership and contact information. The data also
contained people`s identity numbers and other information, such as
their estimated income, directorships and employer information.
He said on Tuesday that the information appeared to be from a
government agency. The title `masterdeeds` led him to initially
suspect that it had come from the Deeds Office.
However, that theory has since changed and it is believed that it came
from a local credit bureau which collects personal information.
Investigation
The Department of Rural Development and Land Reform said they have
noted the claims of hacking and the alleged accessing of Deeds
Registry information. They said they were looking into the matter.
Online publication iAfrikan said the data was still available publicly
on the internet for anyone to download and that the information
related to South Africans, both dead and alive.
The publication named a credit bureau, which has a database of
information and consumer contact details, that they believed was involved.
iAfrikan also quoted Hunt saying that the data company had `f***ed up`
on a large scale.
`They`ve collected an enormous volume of data and I`m not sure if the
owners of that data ever gave their consent… They then published that
data to a web server with absolutely zero protection,` Hunt said.
He said there would be huge fallout from the breach.
Some publications named data company Dracore Data Sciences and Govault
as the source of the leak.
But the company told News24 that they were not responsible in any way.
The law firm K Jordaan and Associates Inc sent a letter, on behalf of
Dracore Data Sciences, demanding a retraction.The letter said that
headers and a paste bin link sent to them from the data leak did not
refer to Govault.
It added that an IP address provided was for a South African real
estate business.
An analyst also told Business Day the information appeared to be from
a credit bureau `because one of the fields was titled CPC (Credit
Participation Certificate)`. They said the data appeared to be
accurate and was from about five years ago.
Toby Shapshak from StuffSA said on Talk Radio 702`s The Money Show on
Tuesday night that the data had very personal, sensitive information
and, even though it was from a few years ago, information such as ID
numbers and employment history did not change.
He described it as terrifying and South Africans should panic because
anyone intent on stealing identities can easily access, buy and use
the data.