By Tefo Mohapi
Barely a year after South Africa's largest data leak was revealed in 2017, the country has suffered yet another data leak as 934,000 personal records of South Africans have been leaked publicly online. The data includes, among others, national identity numbers (ID numbers), e-mail addresses, full names, as well as plain text passwords to what appears to be a traffic fines-related online system.
Working together with Troy Hunt, an Australian Security consultant and founder of haveibeenpwned, along with an anonymous source that has been communicating with iAfrikan.com and Hunt, we managed to establish that the data was backed up or posted publicly by one of the companies responsible for traffic fines online payments in South Africa.
"I have a new leak which might be worthwhile, the database leak contains 1 million records of personal information of South African citizens. Including Identity numbers, cell phone numbers, email addresses, and passwords. I am aware of the website this was leaked from,” said our source upon initial contact.
They further added that the database which contains just under 1 million personal records, was discovered on a public web server that belongs to a company that handles electronic traffic fine payments in South Africa. iAfrikan.com was able to view the publicly available database and, just like the 2017 data leak of 60 million personal records of South Africans, it appears to be a possible case of negligence and carelessness when handling citizens data directory listing/browsing were enabled on the directory where their "backups" were saved.
“This is yet another reminder of how far our data can spread without our knowledge. In this case, in particular, the presence of plain text passwords poses a serious risk because inevitably, those passwords will unlock many of the other accounts victims of the breach use. This one incident has likely already led to multiple other breaches of online accounts due to that reuse,” said Hunt to iAfrikan.com.
Online traffic fine payments
South Africa has several companies that allow and facilitate the payment of traffic fines online. These include using Internet banking with some of the banks, PayCity, ViewFines, and PoCit, to name some of them.
It is also important to highlight that the leaked database, does not represent the total population of licensed drivers in South Africa. According to data from eNATIS, at the end of March 2017, South Africa had just over 12 million licensed drivers compared to the leaked database' 934,000.
Upon further investigation, we were able to confirm that the South African traffic fines online payments website, ViewFines, is the source of the data leak of personal records of 934,000 South African drivers.
Before publishing this article, iAfrikan.com had been trying to alert Stephen Birkholtz, who is listed as the person who registered the domain as well as Operations Manager at Aggregated Payment Systems (Pty) Ltd (APS) with no success since 23 May 2018. This is despite read receipts that Birkholtz read e-mails and WhatsApp messages sent and after not answering calls since the 23rd, Birkholtz mobile phone has been off as of the morning of 24 May 2018.
"It was found on a web server belonging to a company that handles electronic traffic fine payments in SA [South Africa]. Was once again a case of someone enabling directory listing/browsing where their "backups" were saved and this just so happened to be part of it," said an anonymous contact tipping off iAfrikan.com on the data leak.
What is alarming, beyond that the leaked database also contains national identity numbers of over 900,000 South Africans, is that user passwords for the ViewFines website are stored in plaintext. This allows anyone with access to the leaked database to obtain further personal data of the users including among others their vehicles and traffic fines information.
The database contains columns for the following, among others:
Unique ID - system generated ID
ID Number - 13 digit South African National ID number
Total amount of outstanding traffic fines
Password - ViewFines.co.za password stored in plaintext.
"The website provides secured access to all outstanding offenses issued by the listed Municipalities which were registered against your ID number. The registration provides you with absolute security, and access is only allowed by ID and your personal password. No other member of the public can access your outstanding offense information," reads a statement on the ViewFines website.
ViewFines also states on its website that it counts among its partners and clients companies and organizations such as Standard Bank, ABSA, South African Post Office, and many municipalities including metro municipalities like Ekhuruleni and Nelson Mandela Bay. This is further confirmed by information shared by Aggregated Payment Systems (Pty) Ltd, company that owns ViewFines, on its LinkedIn page when it states that:
APS is a database of outstanding fines collected on behalf of contracted service providers, from Municipalities, Provinces or any Law Enforcement body, for the verified payment of Traffic Fines.
APS has contracted with the following 7 major Service Providers:
- 3 of the largest banks in South Africa – First National Bank, ABSA and Standard Bank; providing payment facilities through ATMs, Cell Phone Banking, Over-the-Counter and Internet payments;
- The South African Post Office with more than 1500 online branches countrywide;
- Retail Service Providers EasyPay and Pay@ with thousands of outlets via Pick & Pay, Shoprite Checkers, Spar, and many other retail outlets;
- Internet payments through Standard Bank, ABSA, or the www.Payfine.co.za website.
34 Law Enforcement Agencies are currently contracted through the abovementioned service providers, where APS aggregate the traffic fines daily and provide a 24 hour / 7 days a week facility at Internet Solutions in Johannesburg.
At the time of publishing, and after iAfrikan contacted and engaged the banks and municipalities mentioned by APS, some of the organizations who got back to us could not provide us with an official statement and we will provide updates once the nature of the relationships ViewFines/APS has with them becomes clear. This is important because, depending on the nature of the relationship, the could be other information security risks and concerns are given how ViewFines data was leaked but also how the website doesn't handle data over a secure connection as Hunt has pointed out to iAfrikan.
"They’re [ViewFines.co.za] not serving content over a secure connection, but the certificate they have on their site is also broken," said Hunt.
Furthermore, Hunt explained that ViewFines' certificate was "issued on 8 May but then revoked on 11 May with a reason of 'cessationOfOperation'."
The leak, just like South Africa's largest data leak in 2017, highlights the importance of the country needing to have a fully functional Information Regulator who will be able to act on and enforce the countries Protection of Personal Information Act (POPIA).
Those who want to check if their data has been leaked can verify this on haveibeenpwned.