60 million ID numbers leaked in South Africa’s ‘worst data breach’

The personal records of at least 60 million people have been leaked onto the Internet in an enormous data breach that is being touted as the biggest ever leak of private information in South Africa’s history.

Australian-based security developer Troy Hunt discovered the breach last week, but fears the database may have been online for as long as two years.

Hunt said on Twitter last week that the data breach “is one of the worst I’ve ever seen on many levels”.

The sensitive data, which amounts to about 27 gigabytes, includes information such as identity numbers‚ personal income‚ age‚ employment history‚ race‚ marital status‚ employer and previous addresses.

Although the breach was initially suspected to be a hack, the source has now been traced to a web server registered to a property company called Jigsaw Holdings, according to a report by TechCentral.

Jigsaw’s misconfigured website had exceptionally lax security, and until recently anyone with a small amount of technical knowledge could view or download any of the database records held there.

A spokesperson for South Africa’s State Security Agency (SSA) told the BBC:

“We are looking in to the matter. There is an investigation. We are obviously very concerned.

“It’s important to us to get to the bottom of this, see how it came about and do whatever we have to do, to deal with it.”

The country’s Protection of Personal Information Act (PoPI), introduced in 2013, aims to act as a punitive measure to protect personal data, but has reportedly still not been fully implemented.

South African organisations most at risk of a breach

A recent global report on the cost of a data breach by Ponemon Institute said that South African organisations had the highest probability of experiencing a data breach in the next 24 months.

Staying secure

If one thing is clear, it’s that there is a need for improved security in South Africa, particularly as the upcoming General Data Protection Regulation (GDPR) will apply to all South African organisations processing EU residents’ data.

An information security management system (ISMS) certified to information security standard ISO 27001 can help organisations prevent breaches by covering risks related to people, processes and technology.

By establishing a cyber resilience management system, organisations ensure they are best prepared for a disruptive incident such as a data breach or cyber attack.

Improve your information security with ISO 27001

Find out how ISO 27001 can reduce your cyber risk by downloading our free guide here.