What to do when your data has been leaked


File: The breach exposes more than 30 million identity numbers and other personal and related information of South African citizens on the internet.

JOHANNESBURG - The Southern African Fraud Prevention Service (SAFPS) has warned consumers to “proceed with caution” in light of  “South Africa’s biggest data breach” in which details – including ID numbers and home addresses – of citizens were dumped on the internet.

Responding to what has been billed as South Africa’s “biggest data breach”, Manie van Schalkwyk of the SAFPS warned: “This is not a situation to be taken lightly”.

SA’s Directorate for Priority Crime Investigation (Hawks) this week said it was investigating the matter.

Troy Hunt, an Australian security researcher, reportedly discovered the breach that exposes more than 30 million identity numbers and other personal and related information of South African citizens on the internet.

“Among the sensitive data amounting to about 27 gigabytes, the information includes identity numbers, personal income, age, employment history, company directorships, race group, marital status, occupation, employer and previous addresses,” said Van Schalkwyk in a statement on Friday.

He said while reports speculate on who the real victim is, it was the “consumers who are the real victims”.

READ: How to protect yourself from online identity theft

Van Schalkwyk warned that such exposure was dangerous.

“It presents an opportunity for fraudsters to open accounts and transact as one of the named parties in the leaked profiles, with enough information to verify that transaction as being conducted by themselves”.

He said “this could be both a breach and a hack where a hacker was potentially looking for an opportunity. A hacker could have various motives”.

Van Schalkwyk added: “They could sell the information, be seeking revenge on an organisation or looking to create harm. These all have repercussions.”

He said SAFPS was certain every South African “is on this database” and “should assume” that this was the case. 

The anti-fraud body warned consumers against attempting to verify if they are on the database or engaging anybody offering services to do so.  

“You could be leading yourself into further jeopardy by providing somebody else with data with the understanding that you will verify if you are on the leaked dataset. You might provide legitimate information to an illegitimate source,” said Van Schalkwyk.

“Rather get your credit report from a credit bureau and check if there are any suspicious transactions. Once you realise that something is suspicious, then it is advisable to apply for Protective Registration on the SAFPS website. 

“This will provide the consumer with added security and will alert the credit provider or the bank that the specific ID number has been compromised. This service is free of charge to consumers.”

He said should anyone lose their ID or passport or feel their identity is compromised in any way they should go to www.safps.org.za, click on lost passport/ID to apply for temporary Protective Registration that will be issued online.

“Although this event is tragic, I am convinced that all database managers will revisit their security protocols, which in itself is a positive spin-off of this event,” said Van Schalkwyk.