Data leak: Legal delays create a 'free for all'
If the Protection of Personal Information Act (POPIA) had been fully enacted‚ those responsible for leaking the data of millions of South Africans could have been fined up to R10-million or imprisoned for up to 10 years.
The legislation was partially enacted on April 11 2014 to establish the Information Regulator.
Advocate Pansy Tlakula‚ chairperson of the Information Regulator‚ said it is "still a free-for-all situation"‚ because POPIA has only been partially promulgated.
She said the regulator is investigating the leak that includes ID numbers‚ occupations‚ estimated incomes‚ addresses and cellphone numbers.
POPIA aims to introduce minimum requirements for the processing of your personal information on a mandatory basis.
Cyber law expert Dr. Annamart Nieman said POPIA would affect public and private parties that collect‚ store‚ process and/or disseminate personal information as part of their business.
"You must be notified that your personal information will be collected and for what purpose it will be used‚" Nieman said.
"Your personal information may only be collected for a specific use and the purpose must be specified at collection time."
South Africans were first alerted to the leak after Australian cyber security expert Troy Hunt tweeted about it on Tuesday. He has a copy of the information‚ ran the numbers and found it contains the information of more than 60-million South Africans‚ including children as young as three years old and nine million deceased people.
“As of today these are three-year-olds and no‚ there's no names or other personal data on those records but ... why?!” Hunt wrote.
The information was not hacked. Real estate holding company Jigsaw Holdings‚ which includes Aida‚ ERA and Realty-1‚ admitted last week to uploading the information onto their unsecured server‚ where it was publicly accessible. It remains unclear when the information was uploaded and who might have downloaded it before it was taken down.
Aida chief executive Braam de Jager said forensic investigators are trying to establish how the information was uploaded onto their server.
Jigsaw bought the information from credit bureau Dracore Investments in 2014 to enable it to trace potential clients.
Dracore Investments‚ now Dracore Data Sciences‚ wrote on their website they had a relationship with Jigsaw from July 3 2014 for six months to enrich Jigsaw's information.
Dracore chief executive Chantelle Fraser said on Friday in an interview with TechCentral that one of the services they offer is working with the department of home affairs to verify the identity of clients.
Fraser said they also verify whether people are dead or alive.
"You will not believe how many dead people apply for personal loans."
She said Dracore is a "channel partner" of credit bureau TransUnion‚ which helps them to enrich data for their clients.
The Hawks and the department of home affairs are investigating the data leak.
What are the risks?
Your ID number can be used for identify fraud‚ to steal your tax returns‚ obtain medical services and gain citizen benefits through bogus marriages. This can damage your credit status‚ your chances of gaining employing and cost you time and money.
What can you do?
- Store personal information safely;
- Shred documents like receipts‚ credit offers‚ account statements and expired credit cards;
- Monitor your credit card‚ bank and retail statements for any fraudulent activity;
- Set up phone notifications for all purchases to immediately alert you to suspicious purchases or unauthorised activities;
- Be careful about what you share on social media and tighten your privacy and security settings;
- Do not use the same password on multiple websites;
- Use complex passwords that include numbers‚ special characters‚ upper- and lowercase letters;
- Install anti-virus protection on all your devices;
- Enable two-factor authentication (2FA) which adds an extra security layer on top your username and password; and
- Get a free credit report from a credit bureau to ensure you have not been a victim identity fraud.
If you are the victim of identity fraud:
- Report it to the police;
- Keep a copy of the report and case number; and
- Contact the Southern African Fraud Prevention Service (SAFPS) at 0860-101-248 or via e-mail at email@example.com.