Barely a year after South Africa’s largest database leak was revealed in 2017, the country has suffered yet another data leak as 934,000 personal records of South Africans have been leaked publicly online. The data includes, among others, national identity numbers (ID numbers), e-mail addresses, full names, as well as plain text passwords to what appears to be a traffic fines related online system.
Working together with Troy Hunt, an Australian Security consultant and founder of haveibeenpwned, along with an anonymous source that has been communicating with iAfrikan and Hunt, we’ve managed to establish that the data was backed up or posted publicly by one of the companies responsible for traffic fines online payments in South Africa.
The database which contains just under one million personal records was discovered on a public web server that belongs to a company that handles electronic traffic fine payments in South Africa. iAfrikan was able to view the publicly available database and, just like the 2017 data leak of 60 million personal records of South Africans, it appears to be a possible case of negligence and carelessness when handle citizens data directory listing/browsing were enabled on the directory where their “backups” were saved.
The leak also comes at a time when South Africa’s Information Regulator is being put under pressure to act or share feedback on recent data leaks involving South African citizens data. This also includes the data of South Africans affected by the Facebook and Cambridge Analytica saga.
“If people want to check if they were impacted, they’ll be able to do so then [starting 24 May 2018] or subscribe to the free notification service now and they’ll get an email as soon as it loads,” concluded Hunt.