Data leakers dodge jail, R10m fine

If the Protection of Personal Information Act had been fully enacted, those responsible for leaking the data of 60 million South Africans could have been fined up to R10-million or imprisoned for 10 years.

But it was only partially enacted in April 2014 to allow for the establishment of an information regulator.

Pansy Tlakula, chairman of the regulator, said it was "still a free-for-all" because of the partial promulgation of the act.

She said the regulator was investigating the leak, which included IDs, occupations, estimated incomes, addresses and cellphone numbers.

The act is intended to impose minimum requirements on the processing of personal information.

Cyber law expert Annamart Nieman said it would affect anyone who collects, stores, processes or disseminates personal information as part of a business.

"You must be notified that your personal information will be collected and how it will be used.

"It may be collected only for a specific use that must be specified at collection time."

South Africans were first alerted to the leak after Australian cyber security expert Troy Hunt tweeted about it on Tuesday.

Last week, property holding company Jigsaw Holdings, which includes Aida, ERA and Realty-1, admitted to uploading the information onto its unsecured server, from which it was accessible to anyone.

It is not known who downloaded the information before the sever was secured.

Jigsaw bought the information from credit bureau Dracore Investments in 2014 to find potential clients.

Dracore Investments, now Dracore Data Sciences, wrote on its website that it had had a six-month relationship with Jigsaw.

In an interview with TechCentral, Dracore CEO Chantelle Fraser said that one of the services her company offered, in co-operation with the Home Affairs Department, was verifying identities.

Many loan applications are made in the names of dead people.

What can you do to protect yourself from data theft?

• Store personal information safely;
• Shred documents such as receipts, credit offers, statements and expired credit cards;
• Monitor your credit card, bank and retail statements for fraudulent activity;
• Set up phone notifications for all purchases to alert you to unauthorised activities;
• Improve online personal security settings;
• Do not use the same password on multiple websites;
• Install anti-virus protection on all your devices; and
• Get a free credit report from a credit bureau to ensure that you have not been a victim of identity fraud.