JOHANNESBURG — TechCentral, headed up by veteran South African technology journalist and editor Duncan McLeod, has published an investigation that reveals the source of the country’s biggest ever data breach. Australian information security expert, Troy Hunt, was the first to come across the breach, which at first was thought to contain over 30 million records. But in a shocking revelation, Hunt found that over 60 million South Africans’ personal data (ranging from ID numbers to company directorships) were found to be leaked. A subsequent report by TechCentral reveals how the leak is linked to a server belonging to a local company called Jigsaw Holdings. Jigsaw is a holding company for real estate agencies such as Reality1, ERA and Aida. The leak is the biggest known data breach in South Africa to date, far surpassing the 7 million records leaked by movie-house company Ster Kinekor earlier this year. TechCentral’s report on the massive leak details how Jigsaw had incredibly weak security on their web server, with a string of errors exposing South Africans’ sensitive data to the world. While the data was merely exposed and not explicitly hacked, it still signals how South Africa has a long way to go in terms of data protection. The country’s Protection of Personal Information (POPI) Act is intended to bring the country more in line with global laws, but the implementation of the Act has been painfully slow. TechCentral has kindly given us permission to republish their piece here on BizNews. – Gareth van Zyl
By Andrew Fraser for TechCentral*
The largest data leak recorded in South Africa has been traced to a Web server registered to a real estate company based in Pretoria.
“Whois lookup” information points to Jigsaw Holdings, a holding company for several real estate franchises, including Realty1, ERA and Aida. The misconfigured website had exceptionally lax security, and until recently allowed anyone with a small amount of technical knowledge to view or download any of the 75m database records held there. More than 60m of those records consisted of the personal data of South African citizens.
Contacted by TechCentral for comment on Wednesday morning, Jigsaw management requested time to investigate the issue, and on Wednesday evening neither the company nor its legal counsel was contactable.
When the news of the huge trove of personal information was shared by information security researcher Troy Hunt on Tuesday, the initial response was that there had been a hack. But it seems that hacking wasn’t required: the information was easily available on an open Web server. Direct access to the server, had at the time of writing late on Wednesday afternoon, been secured.
It appears that Jigsaw had been using this data, which was likely sourced from credit bureaus, to provide a service to its estate agents. Presumably this was to allow the agents to vet prospects, and get contact information for leads. It is questionable whether a real estate company should be hosting this volume of information and it is unclear what the original source of the data was.
The company initially fingered for the breach in some online articles, Dracore Data Sciences, is innocent. Initial circumstantial evidence linking the company based on some common headers on one of their own websites seems to be coincidence. Although Dracore may have been a data “enricher” for the company that leaked the data, it doesn’t seem likely that they had anything to do with the leak, and Dracore is adamant that it’s not involved.
Poor information control, as in this case, is one of the reasons for the introduction of the Protection of Personal Information (Popi) Act. And, had the act been fully implemented, a negligent company could be liable to up to R10m in fines and negligent company officers jailed for up to 10 years. The ramifications of this breach probably won’t be as dire. Anyone who suffers damages due to the release of the data would have to sue for damages under common law, something that is quite difficult and complex to do.
Chris Basson, from Eighty20 business consultancy, put it like this: “Without making too many assumptions, we can say that the people responsible for building a solution which provides such uncontested access to personal information, had no business having the data in the first place.”
The credentials for these entry points were leaked via error messages from another site, and they appear to be re-using the credentials everywhere
The security missteps are egregious and, according to infosec consultancy SensePost’s Willem Mouton, showed an “overall lack of security awareness”.Basson argued that one should look beyond the ineptitude of the people who made the information so easily available, and rather ask the question: “Who was the idiot that gave them access to the data in the first place?”
“From a development perspective, the websites appear to be vulnerable to SQL injection… [and]… in terms of deployment, having database interfaces open to the Internet provide entry points.”
He pointed out that while examining the site, SensePost noticed that “the credentials for these entry points were leaked via error messages from another site, and they appear to be re-using the credentials everywhere”.
These leaked credentials allowed for full administrator privileges in the database, and in fact allowed full administrator access to all the databases on the server. To make matters worse, the personal data was contained in a single database in clear text.
Mouton also noted that it was concerning that nobody noticed the large volume of data leaving the network. “Multiple people pulled a 30GB file, and nobody noticed.”
He said verbose error messages and indexable Web directories were a boon to anyone who wished to hack the server.
Unfortunately, for South Africans whose personal information is now widely available, there isn’t much that they can do other than increase their vigilance for any attempts at identity theft.