Earlier on 18 October 2017, we published all the details we knew at the time regarding what we thought was South Africa's largest-ever data breach. This was after I had called Troy Hunt, the security consultant, researcher and founder of have i been pwned?, who had initially discovered and announced the data breach.
After spending a few hours investigating further, we can reveal that at the time of publishing this article, the public database backup file (and a smaller compressed version), were still available publicly on the Internet for anyone to download.
As revealed by Hunt when speaking to iAfrikan, the file contains information ranging from ID number (national identity number), marital status, income, company directorships held (and previously held), employment details as well as property ownership information. What is important to note is that this is for both deceased and alive people in South Africa.
Connecting The Dots
As mentioned earlier on 18 October 2017, when we revealed details regarding the data breach, I narrowed down the possible victim of the breach to either a credit bureau or a data aggregation company, which is where I chose to start looking at. This is what motivated me to look at the possibility of whether TransUnion, one the largest credit bureaux in South Africa, was the victim.
Looking into whether it was TransUnion that was breached led me to Dracore Data Sciences which counts among its clients, TransUnion. What I omitted in the initial article for purposes of brevity and getting to the point is that after looking into Dracore, I first checked their GoVault platform as it is advertised as "the goldmine of information offers easy access to the contact details of South African consumers and homeowners."
A quick whois search on who owns and registered the domain govault.co.za reveals that it is Hano Jacobs. I called Jacobs. He explained that he doesn't deal with any business related to GoVault and that his partner, handles that and he would ask them to get in touch with me.
After thirty minutes passed with no contact from Jacobs, I decided to contact Dracore directly. I spoke to Adrian Hamel, who eventually told me to contact Dracore's CEO, Chamtelle Fraser, directly after I had shared with him the Pastebin dataset details by Hunt.
Jacobs forms a key part of this story because looking at his Twitter profile, you see that he lists the domain realty1ipg.co.za. This domain, and the fact that Jacobs is listed under GoVault's whois details, suggests he is involved in both the Dracore business and the realty1ipg.co.za business, which is owned by Jigsaw Holdings (Pty) Ltd. All Jigsaw related domain names, including realty1ipg.co.za, are registered under Michelle McCrate's name, who also is a director at Jigsaw.
Dracore is also known for having a number of clients in the real estate business. This, however, does not necessarily mean they were responsible for the site where the leaked records were found.
Apart from the leaked records, the site also listed folders with names of the various Jigsaw businesses.
Incompentence, Negligence Or Both?
"They’ve [Dracore] fucked up in a seriously large scale here. They’ve collected an enormous volume of data and I’m not sure the owners of that data ever gave their consent. That may still be legal, but the backlash will be severe. They then published that data to a web server with absolutely zero protection and, of course, unauthorized parties found it. You yourself [iAfrikan] found it very quickly just by searching for it. There is now going to be a very serious spotlight shone on them for the sheer incompetence of their actions and they’re in no position the threaten those who’ve reported this to them responsibly," said Hunt when speaking to iAfrikan.
At this stage we can conclusively stop calling it a data hack or data breach, it is more like a leak, and I'm being kind calling it a leak as the DATA IS STILL UP ON THE WEBSITE AS I TYPE THESE WORDS!!!
Again, at this point, I need to emphasize and state on the record that I am in no way saying that, conclusively, Dracore responsible. I am merely sharing what is publicly available (and yes, all my rights and those of iAfrikan are reserved).
Whoever is responsible, between Dracore, Jacobs, McCrate or anyone associated with them needs to be taken to task. They literally "sold out" South Africa.
At this stage, we cannot and will not reveal any further details irrespective that the information we have is publicly available.
Hunt also shares the same sentiments in this regard, "I would only share the IP address and frankly, anything at all about the data you found once they’ve taken it down. The last thing anyone wants is for it to spread further."
Just a month ago in the US a credit firm was hacked and exposed over 140 million social security numbers of Americans. You'd think that companies like Dracore (if it is their fault) would have double checked their systems and networks at the time just to make sure they don't suffer the same fate.
What are your thoughts?
Do you think Dracore are responsible?
Who else could be responsible?
18 October 2017: What We Know So Far About South Africa's Largest Ever Data Breach