Registered users can save articles to their personal articles list. Login here or sign up here

The real source of SA’s massive data breach

And no hacking was needed to access the information.

The largest data leak recorded in South Africa has been traced to a web server registered to a real estate company based in Pretoria.

Read: Data breach exposes millions of South Africans’ personal records

“Whois lookup” information points to Jigsaw Holdings, a holding company for several real estate franchises, including Realty1, ERA and Aida. The misconfigured website had exceptionally lax security, and until recently allowed anyone with a small amount of technical knowledge to view or download any of the 75 million database records held there. More than 31 million of those records consisted of the personal data of South African citizens. 

Contacted by TechCentral for comment on Wednesday morning, Jigsaw management requested time to investigate the issue, and on Wednesday evening neither the company nor its legal counsel was contactable.

When the news of the huge trove of personal information was shared by information security researcher Troy Hunt on Tuesday, the initial response was that there had been a hack. But it seems that hacking wasn’t required: the information was easily available on an open web server. Direct access to the server, had at the time of writing late on Wednesday afternoon, been secured.

It appears that Jigsaw had been using this data, which was likely sourced from credit bureaus, to provide a service to its estate agents. Presumably this was to allow the agents to vet prospects, and get contact information for leads. It is questionable whether a real estate company should be hosting this volume of information and it is unclear what the original source of the data was.

The company initially fingered for the breach in some online articles, Dracore Data Sciences, is innocent. Initial circumstantial evidence linking the company based on some common headers on one of their own websites seems to be coincidence. Although Dracore may have been a data “enricher” for the company that leaked the data, it doesn’t seem likely that they had anything to do with the leak, and Dracore is adamant that it’s not involved.

Popi Act

Poor information control, as in this case, is one of the reasons for the introduction of the Protection of Personal Information (Popi) Act. And, had the act been fully implemented, a negligent company could be liable to up to R10 million in fines and negligent company officers jailed for up to ten years. The ramifications of this breach probably won’t be as dire. Anyone who suffers damages due to the release of the data would have to sue for damages under common law, something that is quite difficult and complex to do.

Chris Basson, from Eighty20 business consultancy, put it like this: “Without making too many assumptions, we can say that the people responsible for building a solution which provides such uncontested access to personal information, had no business having the data in the first place.” 

Basson argued that one should look beyond the ineptitude of the people who made the information so easily available, and rather ask the question: “Who was the idiot that gave them access to the data in the first place?”

The security missteps are egregious and, according to infosec consultancy SensePost’s Willem Mouton, showed an “overall lack of security awareness”.

“From a development perspective, the websites appear to be vulnerable to SQL injection… [and]… in terms of deployment, having database interfaces open to the Internet provide entry points.”

He pointed out that while examining the site, SensePost noticed that “the credentials for these entry points were leaked via error messages from another site, and they appear to be re-using the credentials everywhere”.

These leaked credentials allowed for full administrator privileges in the database, and in fact allowed full administrator access to all the databases on the server. To make matters worse, the personal data was contained in a single database in clear text.

Mouton also noted that it was concerning that nobody noticed the large volume of data leaving the network. “Multiple people pulled a 30GB file, and nobody noticed.”

He said verbose error messages and indexable web directories were a boon to anyone who wished to hack the server.

Unfortunately, for South Africans whose personal information is now widely available, there isn’t much that they can do other than increase their vigilance for any attempts at identity theft.

This article was first published on TechCentral. To access the original, please click here.

Get access to Moneyweb's financial intelligence and support quality journalism for only
R63/month or R630/year.
Sign up here, cancel at any time.

COMMENTS   4

To comment, you must be registered and logged in.

LOGIN HERE

Don't have an account?
Sign up for FREE

Wow, that was easy it seems!

Well then, I’m going to (physically) try to “tear a page out of Facebook” next…

This quote from a saved copy of the apparently inaccessible Jigsaw Holdings website says it all:

“Two very dynamic brothers took ownership of Jigsaw Holdings during 2003 from ABSA Bank and has [sic] since grown the entire group into a well known and respected company.”

I can has database?

Most Estate Agencies use the Lightstone Report, which gives them direct access to sata from the Deeds Office!

Load All 4 Comments
End of comments.

LATEST CURRENCIES  

USD / ZAR
GBP / ZAR
EUR / ZAR

Podcasts

SHOP NEWSLETTERS TRENDING CPD HUB

Follow us:

Search Articles:Advanced Search
Click a Company:
server: 172.17.0.2