Revealed: the real source of SA's massive data breach - TechCentral

Revealed: the real source of SA’s massive data breach

The largest data leak recorded in South Africa has been traced to a Web server registered to a real estate company based in Pretoria.

“Whois lookup” information points to Jigsaw Holdings, a holding company for several real estate franchises, including Realty1, ERA and Aida. The misconfigured website had exceptionally lax security, and until recently allowed anyone with a small amount of technical knowledge to view or download any of the 75m database records held there. More than 60m of those records consisted of the personal data of South African citizens.

Contacted by TechCentral for comment on Wednesday morning, Jigsaw management requested time to investigate the issue, and on Wednesday evening neither the company nor its legal counsel was contactable.

When the news of the huge trove of personal information was shared by information security researcher Troy Hunt on Tuesday, the initial response was that there had been a hack. But it seems that hacking wasn’t required: the information was easily available on an open Web server. Direct access to the server, had at the time of writing late on Wednesday afternoon, been secured.

It appears that Jigsaw had been using this data, which was likely sourced from credit bureaus, to provide a service to its estate agents. Presumably this was to allow the agents to vet prospects, and get contact information for leads. It is questionable whether a real estate company should be hosting this volume of information and it is unclear what the original source of the data was.

The company initially fingered for the breach in some online articles, Dracore Data Sciences, is innocent. Initial circumstantial evidence linking the company based on some common headers on one of their own websites seems to be coincidence. Although Dracore may have been a data “enricher” for the company that leaked the data, it doesn’t seem likely that they had anything to do with the leak, and Dracore is adamant that it’s not involved.

Popi Act

Poor information control, as in this case, is one of the reasons for the introduction of the Protection of Personal Information (Popi) Act. And, had the act been fully implemented, a negligent company could be liable to up to R10m in fines and negligent company officers jailed for up to 10 years. The ramifications of this breach probably won’t be as dire. Anyone who suffers damages due to the release of the data would have to sue for damages under common law, something that is quite difficult and complex to do.

Chris Basson, from Eighty20 business consultancy, put it like this: “Without making too many assumptions, we can say that the people responsible for building a solution which provides such uncontested access to personal information, had no business having the data in the first place.”

Basson argued that one should look beyond the ineptitude of the people who made the information so easily available, and rather ask the question: “Who was the idiot that gave them access to the data in the first place?”

The security missteps are egregious and, according to infosec consultancy SensePost’s Willem Mouton, showed an “overall lack of security awareness”.

“From a development perspective, the websites appear to be vulnerable to SQL injection… [and]… in terms of deployment, having database interfaces open to the Internet provide entry points.”

He pointed out that while examining the site, SensePost noticed that “the credentials for these entry points were leaked via error messages from another site, and they appear to be re-using the credentials everywhere”.

These leaked credentials allowed for full administrator privileges in the database, and in fact allowed full administrator access to all the databases on the server. To make matters worse, the personal data was contained in a single database in clear text.

Mouton also noted that it was concerning that nobody noticed the large volume of data leaving the network. “Multiple people pulled a 30GB file, and nobody noticed.”

He said verbose error messages and indexable Web directories were a boon to anyone who wished to hack the server.

Unfortunately, for South Africans whose personal information is now widely available, there isn’t much that they can do other than increase their vigilance for any attempts at identity theft.  — © 2017 NewsCentral Media

  • CouchPotato

    I still just wanna know for what good reason the credit bureau gave a real estate company a 30gig data dump in the first place ??

  • Caveman

    The real estate company got the data from a company called Dracor. So, technically, it is not really a leak if the data is publicly available for anyone that pays for it.

  • Taryn

    I want to know who manages this company’s web services and security? Not likely an estate agency manages it in house.

  • nkokhi

    Make sense and I agree. They have been selling it.

  • nkokhi

    Government agencies still upload PDFs that have personal data (Name, Surname, ID number, Address) on their websites and gazettes. Someone needs to look into that, I noticed this 10 years ago and till today, this info still shows on google searches.

  • AndrewWheelerDealer

    This data did not come from a credit bureau. I just hope the regulator will investigate and make an example of whoever is at fault.
    There is enough information on their so that anyone would be able to take out a loan or open a credit card in your name…

  • So I know what a WHOIS lookup is, but I’m not sure how they used it with a data dump. Was there an IP address included somewhere?

  • m_ber

    My question is how an outfit like Dracore Data Sciences’ manages to get access to this data from the deeds office and what sort of clearances, permissions, constraints, was this release subject to. Is there some sort of permit/licensing arrangement relating to sales of this sensitive data to third parties and surely there must be commercial agreements that specify conditions relating to it’s dissemination. Was this originally stolen from the deeds office? This is insanity and must definitely be prosecuted considering the potential ramifications of this leak. After reading Dracore’s rebuttal on their site by fingering their customer (Jigsaw) who gave this data to Realty-1, ERA, Aida, and whoever….seems to have originated from Hano Jacobs. Then threatening the messenger (iAfricakan) the messenger who was trying to help and stem the leak is not the act of an innocent participant. Like Stasi informers their evil deeds(selling private information) have caught-up with them. Andrew Fraser’s mentioning in this article that “…Dracore Data Sciences, is innocent…” and Chantelle Fraser’s (CEO of Dracore) insisting their innocence may not be correct, where consequential damages that this event caused negligent and careless business practice might see some form of legal sanction. Hope the NPA go to these companies and the first question they must ask to whoever owned the source data….is….”where and how did your get this information?”

  • Gman

    Would be interesting to check on what grounds we’d be able to sue.

  • Andrew Fraser

    An IP address and port number was shared anonymously.

  • Shot, thanks. I assume it was the hackers who shared it.

  • Andrew Fraser

    no, it was a concerned citizen. There was no “hack”, the information was on an open, unsecured indexed web server.

  • Ok, that’s what I meant. I also dislike when people use the term ‘hack’ too generously, e.g. when they don’t protect their passwords.