Last week it was established that the personal information of over 30 million South Africans had been publically available for at least seven months.
Troy Hunt, who’s an Australian regional director for Microsoft, received a file from an anonymous source in March this year containing this data.
Hunt specialises in security training for online systems and, in his spare time, he runs a free online service called Have I been Pwned (HIBP). This site offers users an opportunity to find out whether their personal data has been breached or not.
In line with this, Hunt receives hundreds of files, often from anonymous sources, which he deciphers in his free time.
This particular file, titled Master Deeds, was only examined by Hunt last week and, after some digging, he established that it contained the personal information of the majority of South Africans, including ID numbers and contact details.
In collaboration with Tefo Mohapi, founder and CEO of iAfrikan, the source of the data was attributed to a data science company Dracore, and the leak may have come from one of their clients, Jigsaw Holdings.
Mohapi ensured that the file was removed from the public site last Wednesday, but it’s impossible to say how many people already accessed the Master Deeds file before then.
What is identity theft?
According to Claude Langley, business development manager in Africa for HID Global, identity theft is one of the fastest growing crimes in Africa.
“Identity theft is the deliberate use of someone else's identity, usually as a method to gain a financial advantage or obtain credit and other benefits,” he explained.
If someone can access your personal information, then they have the necessary tools to steal your identity.
“Identity theft is a concept that most South Africans are aware of but unfortunately unless they are directly affected by it, it seems they are not taking it seriously enough,” said Langley.
“Once you realise that your identity has been compromised and someone has taken out a cell phone contract or bank loan in your name, it may take months to rectify,” he added.
Langley pointed out that mail theft is one of the easiest methods criminals use to steal your identity.
“Syndicates will actually pay in order to sift through your rubbish and fish out personal information. Their return on investment can be substantial if they are able to successfully replicate a person’s identity,” he said.
In additional to this, identity thieves may obtain your phone number and thereby make unsolicited calls to you – claiming to be from your bank, SARS, etc.
“If they have some personal information about you such as your name or address for you to confirm, you may very well fall for this scam,” said Langley.
Your data is compromised, what now?
According to Brian Pinnock, cybersecurity expert from Mimecast, once your personal information has been compromised there isn’t much you can do, besides act quickly and make sure you don’t fall prey to future attacks.
“The first step would be to change your passwords. Stay away from passwords that incorporate your birth date, ID number or information like your spouse’s name as these are easy to crack,” said Pinnock.
He advised South Africans to create unique passwords for all online services, not to reuse passwords across different platforms, and where possible use passphrases and 2 factor authentication.
“No email should be considered safe. Hackers can now take this personal information and use it to lure unsuspecting victims into giving them access to their networks,” said Pinnock.
“The hype around this specific data breach will die down in the next few weeks but hackers can store this information and attack when you least expect it. A few months from now, victims might forget to look out for the tell-tale signs of impersonation fraud in an email,” he cautioned.