Millions of South Africans have had their most private information exposed

It’s all out there.
It’s all out there.
Image: Reuters/Mike Hutchings
We may earn a commission from links on this page.

South Africa has suffered a massive data leak, and there’s nothing anyone can do about getting their personal information back. Millions of citizens’ identity numbers have been leaked on the internet, along with their genders, ethnicity and home ownership.

“Trying to get your data back from the internet is like trying to get piss out of a pool,” said Troy Hunt, the Australian data security analyst who uncovered the leak. Hunt has set up a platform where people can check if their information has been leaked, but that only works for 2.2 million email addresses, a fraction of the breach.

In March this year, Hunt received a 27 GB file that didn’t seem remarkable at the time, until he needed to free up some disk space and so processed the folder on Tuesday, Oct. 17. There he uncovered 31.6 million records, and that’s just about half of it.

On Wednesday, Oct. 18, as the scale of the data leak became apparent he imported the information again, and this time found 60.3 million unique identity numbers. With the country’s population at 55 million, many of these identity numbers probably belong to deceased citizens, which is ideal for impersonation and identity theft, he told Quartz.

By Hunt’s timeline, the data has been in the public domain for at least seven months or at most since April 2015, which is when the list was last modified.

The exact source of the leak is unclear, but a news investigation points to Dracore, a consumer database company that shares data with clients, in this case a property holdings company. In a detailed post, Dracore has denied being the source.

“I really hope someone goes to jail, but the chances are slim,” said Basie von Solms, the director of the University of Johannesburg’s Cyber Security center.

South Africa has strict cyber security and online privacy laws. Under the Protection of Personal Information Act, or POPI, citizens entrust their data to second parties and can have it removed, explains von Solms. The law is exemplary in cyber security, except that is has yet to be enforced.

“We would have had a textbook case for POPI,” said van Solms, adding that the law could see leakers face high fines or jail time.

Data breaches are increasingly common and more severe in the United States. Last month, Equifax one of the big three credit agencies revealed it had been hacked exposing the records of more than 145 million Americans.