On Wednesday, October 18th, technical staff at a realty group in Centurion scrambled to figure out how millions of private records in their possession ended up online.
Troy Hunt, an Australian web security expert, exposed the leak on Twitter a day earlier. “South African followers: I have a very large breach titled ‘masterdeeds’,” tweeted Hunt. By that time, the file had been available for download on a publically accessible web server for at least seven months.
Hunt was initially made aware of the publication by someone else, reportedly, a Twitter user going by the name of Flash Gordon, who tweeted: “I saw the data back in march. At the time I didn't realize how bad it was.”
The file, titled masterdeeds.sql, contains a total of 66,360,837 records. It contains ID numbers, contact details – including phone numbers and 2.2 million email addresses, job titles, home ownership statuses, and physical addresses. According to Hunt’s analysis of the file, of more than 66 million records, approximately seven million of those are for deceased individuals. Of the entire trove, 29% of the records are of minors, some of whom were born as late as 2013.
The realtors involved
Five days after Jigsaw Holdings – the real estate holding company – was informed that its data was available online it confirmed it had blocked all access to its servers. “We took immediate appropriate measures to further investigate the matter and secure all our servers,” its director Pieter Ferreira said in a statement, adding the company had appointed independent forensic investigators to determine whether their systems had been breached.
The Hawks’ Cybercrime Unit has also launched an investigation and Ferreira says they will fully cooperate with any authority looking into the matter.
Likelihood of a hack
Officially, the question of how the data was leaked has not been verified, but the indications at this stage suggest Jigsaw was negligent even if their systems were breached.
While it is difficult to notice a hack, especially if the attack was sophisticated, a company in possession of this kind of information should surely conduct regular system audits to guard against any vulnerability, among a range of necessary measures. The facts at this stage show that Jigsaw failed to conduct these audits since at least March 14th – when Hunt was already in possession of the records.
Alternatively, if its security was up to standard, Jigsaw acted nothing short of negligently with very sensitive information. And this has been the suspicion all along.
“Let’s not call this a “hack” folks. Someone in South Africa literally published their database of the entire country to the public internet,” reads a tweet by Hunt. Apart from the fact that the publication had gone unnoticed for such a long time, there are too many questions around the suggestion of a hack. It is uncommon for cyber criminals to take the risk to steal information and then simply leave it lying on a server.
No consequences for recklessness
The Protection of Personal Information Act (POPI) states those in possession of personal information have to take the appropriate steps to prevent, among others, “the unlawful access to or processing of” such information. It must also identify all internal and external risks and implement safeguards. While failure to adhere to the Act could result in serious consequences, it is not yet enforceable as only certain sections have already been signed into law.
This renders the Hawks investigation to a large extent pointless as the only consequences Jigsaw might face for being responsible for the biggest, and most serious data leak in South Africa’s history, given the nature of the information compromised, will be reputational damage.
The implications for South Africans on the other hand are dire. The data can be used in a range of crimes; from targeting South Africans with ransomware via email, to fraud and identity theft.
Fortunately for Jigsaw, its recklessness was technically not illegal at the time. This in turn raises serious concerns about private companies in possession of our personal information and why they neglect their moral obligations to protect that information in the absence of legislation forcing them to do so.