04 Nov SA’s Biggest Data Leak

Data Leaks: A Lesson For You!

In what seems to be the one biggest data leaks of its kind both locally and abroad – the Master Deeds leak hit South Africa with a bang.

The leak which was initially estimated to contain approximately 30 million unique personal records of South Africans was later halted after aggregating in excess of 60 million unique personal records.

The breach file was sent to breach and security specialist, Troy Hunt, who analysed the “masterdeeds” file had warned South Africans about the breach via his Twitter account.

Data breach details

The masterdeeds file contains in excess of 60 million South Africans’ details, including unique ID numbers, genders, contact details and other personal information.  In essence – the file contains records of ALL South Africans, both local and abroad, including deceased South Africans. After asking for input from South Africans, Hunt who had analysed the file noted that ALL participants who volunteered their information generated hits in the system. He therefore concluded – as was reaffirmed by South African government – that all South Africans should assume their information is contained in this file.

The file had been sourced by South African real estate company Jigsaw holdings in an effort to vet suitable clients for agents in their Realty1, Aida and ERA estate agencies. It should be noted that something of this kind is not out of the ordinary as most companies acquire “scrubbed” data from credit bureaux and other institutions with lists of suitable clients. The storage of such information should, however, be maintained behind secure servers and in no way be accessible to third parties. Due to the Jigsaw Holdings site’s limited security, however, the content had been available on an open web server since 2014. Essentially users who knew where the file was didn’t even need to hack into the system to acquire the file – it was accessible to anyone.

The file called “masterdeeds.sql” was sent to Hunt for analysis in March 2017. Hunt had been used by corporations and governments alike to analyse and assess possible data breaches and online security hazards. Since the file seemed, at first, rather ordinary, Hunt had only gotten round to it later this year. The masterdeeds file was a MySQL database backup file which, after analysis, pointed towards the biggest data leak in South African history. The story was followed up and investigated by South African journalist Tefo Mohapi, who traced the origin of the content to data enrichment company Dracore, who had sold the information to Jigsaw Holdings.

It is unclear who had leaked the information or made it publicly available on the open servers as both Dracore and Jigsaw Holdings had claimed innocence in this regard – both companies had reiterated, however, that this is not something which could have happened by accident as they adhere to the strictest security protocols. Having been available for years – the information contained in the masterdeeds file will likely have been replicated, distributed and used for dubious purposes by thousands if not millions of users.

Stay secure – how to keep your information private

Unfortunately, it would not be possible to keep one’s personal information completely private. South African and many other international regulators require verification of personal information for travel purposes, taxation, residency, credit verification and several other purposes.

It would, for instance, be impossible to erase one’s records with home affairs or other governmental bodies requiring such information. But there are steps one can take to limit your exposure.

1. Update your online passwords and security frequently
2. Limit your credit exposure and close any unnecessary credit or retail accounts – although your information will remain on the service providers’ databases as well as the credit bureau for a while, such information is likely to become outdated and/or overwritten in due course which would render your information
3. Add your name to the National Opt Out database and opt out of communication with all other service providers where possible. Although not all service providers adhere to the stipulations of the Direct Marketing National Opt Out database – this could see them face legal action should they still contact you after you’d requested removal of your name.
4. Improve your privacy on social media accounts to limit the personal information shared on these accounts.
5. Read the fine print – if it isn’t required by law for your personal information to be shared by with your service providers, or for your service providers to share your information with third parties, don’t authorise such disclaimers.
6. Contact your service providers to enquire as to the safeguarding of your information – it is a legal requirement for them to disclose why they require certain information, what the information is used for and how it is stored.
7. “Google” yourself and see what search results pop up. If your name is mentioned on sites or platforms you did not authorise or use personally, contact the site administrators and ask for your information to be removed.
8. Where possible, when making enquiries which aren’t pressing and don’t require your personal information, use an alias or nickname when completing this information.
9. When choosing a password, try constructing a phrase with uppercase and lowercase letters, special characters and numbers. You can replace certain letters in the phrase with characters or numbers. It is ideal to choose a phrase someone won’t easily guess and preferably in a language other than English or the language most commonly used in your country. An example of such a password is: M@s3K!NN3RS
10. If you feel a service provider or individual has a security breach, contact authorities in your jurisdiction. South Africans can also report their suspicions on the Online Technology Risk Advisory Centre (OnTrac) website.

What security measures do Rand Rescue use to ensure the safety of client information?