Nearly a million people in SA exposed in data leak
Sensitive personal information about nearly one million people who pay traffic fines online in South Africa has been leaked publicly.
The data leak of 934 000 records contains identity numbers‚ e-mail addresses‚ full names and passwords.
Australian cyber security researcher Troy Hunt along with Tefo Mohapi from iAfrikan discovered‚ after some detective work‚ that the “data was backed up or posted publicly by one of the companies responsible for traffic fines online payments in South Africa”.
The leak does not affect all licensed drivers; only those who have registered to pay traffic fines online using one or more of the sites that provide the service. People who have registered to pay traffic fines online were urged to change their passwords.
“This is yet another reminder of how far our data can spread without our knowledge. In this case‚ in particular‚ the presence of plain-text (unencrypted) passwords poses a serious risk because inevitably‚ those passwords will unlock many of the other accounts victims of the breach use. This one incident has likely already led to multiple other breaches of online accounts due to that reuse‚” said Hunt to iAfrikan.
Hunt is founder of the website haveibeenpwned‚ which allows users to check if their personal information has been compromised online. He said people would be able to verify if their data was included in the latest leak by visiting the site later on Thursday.
iAfrikan said it had alerted the Hawks and South Africa’s Information Regulator about the leak.
TimesLIVE reported in late 2017 how millions of South Africans were compromised in a “data dump” that revealed their identity numbers‚ ages‚ locations‚ marital statuses‚ occupations‚ estimated incomes‚ addresses and cellphone numbers. It included personal information about prominent people including Jacob Zuma‚ Malusi Gigaba and Fikile Mbalula.
Hunt was the person who first alerted South Africans to that leak. One of South Africa's top real-estate firms admitted to being the unwitting source of the data‚ hacked in what was then the largest-known personal data breach in the country.
Hunt said in a tweet that he had worked out which company the latest leak had emanated from.