On 28 May 2019 we, iAfrikan, received communication from the office of the Information Regulator (South Africa) that stated that they are closing their file on one of the country’s largest data leaks involving 1 million personal records of South African drivers. They noted that the company, Viewfines, had communicated to registered users about the leak and that the website had been permanently shut down.
We were the recipients of the official feedback from the Information Regulator not because we broke the story in 2018, but specifically because we filed extra information and documents regarding the leak with the Information Regulator.
To recap, on 24 May 2018 (a year before the Information Regulator eventually closed the case and provided feedback to us) we were able to confirm that South African traffic fines online payments website, ViewFines, is the source of the data leak of personal records of 934,000 South African drivers. Troy Hunt, an Australian security consultant and founder of haveibeenpwned who worked with iAfrikan in looking into the data leak, was also able to positively identify the leaked database as belonging to Viewfines.
The database contained the data of almost 1 million South African drivers which included the following data, among others:
- Unique ID - system generated ID
- ID Number - 13 digit South African National ID number
- Full Names
- Mobile Number
- Total amount of outstanding traffic fines
- E-mail address
- Password - ViewFines.co.za password stored in plaintext.
Not enough people care about online privacy in Africa
After receiving that communication from the Information Regulator in 2019 and having worked on numerous other data breaches and leaks investigations across the continent, I felt (for a few minutes) discouraged.
My discouragement stemmed from the fact that, despite the owners of the website acknowledging and the iAfrikan investigation proving that the data leak was as a result of the company’s negligence, no action will be taken against the company or its directors.
Some people argue that data leaks are generally victimless crimes, I disagree.
There are way too many identity theft cases, especially in South Africa, to disprove this argument. One such is the case of a South African radio producer who discover while going through international departures at O.R. Tambo International Airport, that she had a criminal record and was arrested on the spot and couldn’t board her work-related flight. She was later released on bail and had to spend months and a lot of money to try and clear her name because someone had stolen her identity and used it to steal at a retail store and somehow left their fake ID document behind.
Why you should care about privacy
Why do we care about online privacy so much? (Discussed extensively in this podcast episode in which Murray Hunter also explains the South African government's mass surveillance of citizens and what you can do to protect your online privacy)
"I will say maybe ignorance of the weight of the consequences of it. Maybe if many of us are sensitized on how grevious the breach on people’s Internet privacy are we might begin to take it serious. For now we just want to enjoy the limited access we have." - Olukotun Oluwasegun.
Perhaps, as Olukotun puts it, it is ignorance about the potential consequences of such data leaks.
The question then is, how do we raise awareness?
It's not as if the cases of data breaches and leaks are getting less and less. As we speak, at iAfrikan, we are aware of and currently investigating two potential security and data breaches in two different countries on the continent which affect not only the identities and private data of thousands of people, but their financial transactions and information as well. As always, and as we've come to expect, all the companies involved are yet to alert their customers and are somewhat nonchalant about the potential breaches.
Unfortunately, as mentioned, they also know that there are no real legal implications for their potential negligence.
Share this via: