Top real estate company admits to being unwitting source of country’s largest personal data breach

18 October 2017 - 18:49 By Nico Gous
File photo.
File photo.
Image: Gallo Images/ IStock

One of South Africa’s top real estate companies has admitted to being the unwitting source of the largest known personal data breach to date in the country.

TimesLIVE has also ascertained that the dump of personal information — estimated at 31.6 million records — includes the estimated income‚ addresses and cellphone numbers of the likes of President Jacob Zuma‚ Finance Minister Malusi Gigaba and Police Minister Fikile Mbalula.

The information originated from Jigsaw Holdings which includes Aida‚ ERA and Realty-1.

Aida CEO Braam de Jager said they had “absolutely no idea” how the information was published on their server before it was removed on Wednesday afternoon.

“As I am speaking to you now‚ I have called in forensic guys into my office that are busy investigating all of these things right now‚” he said.

De Jager said the information‚ which was available for download until Wednesday morning‚ was bought from credit bureau Dracore in 2014.

The information contains amongst other things the ID numbers‚ age‚ location‚ marital status‚ occupation‚ estimated income‚ physical address and cellphone numbers of millions of South Africans.

De Jager said they bought the information to track down potential clients who might want to sell their houses.

“If we arrive at house and a tenant tells us that he knows the owner wants to sell the house‚ we ask them who the owner is. They often do not know who the owner is. We then go and extract that specific property’s information based on the address to get the owner’s information.”

Dracore CEO Chantelle Fraser said they were not responsible for publishing the information and had no kowledge of how external companies used the information.

The personal information that was published could be used for crimes like identity theft.

Dr Jabu Mtsweni‚ cybersecurity expert at the Council for Scientific and Industrial Research (CSIR) said this information could also be sold on the internet to the highest bidder.

“People who want to clone my identity. They don’t necessarily need my ID number. I don’t need to lose my ID number … This information can also be used by criminals to actually try and authenticate themselves as yourself over the phone.”

Professor Basie von Solms‚ director of the Centre for Cyber Security at the University of Johannesburg‚ said cyber criminals could use the information in this breach to obtain credit.

“With enough personal information‚ one can do damage to a person by illegally opening credit accounts or make bookings. It is an extremely big risk. The great risk is to the individual whose data has been breached.”

South Africans were alerted to the leak by Troy Hunt‚ an Australian web security expert‚ who first tweeted about it on Tuesday.

Hunt said “it’s crazy”‚ because it lists “almost every living person” in South Africa.

“Every person that I have checked that sent me their ID number‚ I have found a record for. That is very concerning.”

Von Solms noted South Africans were not out of the woods‚ because Hunt and others could have made back-ups of the information.

Hunt received the information earlier this year‚ but he only got around to checking it earlier this week. He often receives information from various sources‚ because he created HaveIBeenPwnd.com‚ a website where you can check if your information has been compromised in any data breaches against about 4.8 billion records.“Fortunately these are people [sharing the information] who have a very ethical intent.”

Additional reporting by Ernest Mabuza

X