For who knows how long, a treasure trove of data containing at least 30 million unique South African identity numbers has been floating around the interwebs.

The dump contained about 27 gigabytes of information, and was discovered by Microsoft regional director and information security researcher, Troy Hunt.

Here’s the bad news: those 30 millions ID numbers are potentially linked to “personal income, age, employment history, company directorships, race group, marital status, occupation, employer and previous addresses,” reports Business LIVE:

Other database fields include “province, township, erf number, unit number, sales price, bond amount, bond holder, title deed, transfer date, LSM [living standards measure] group, estimated income, home ownership, and directorship”.

You can take a look at all the headers here.

That’s a lot of information about a lot of people. I mean, just last year the population of South Africa stood at around 56 million, so we’re talking about half the population here.

Hunt is also the founder of HaveIbeenpwned.com, which alerts registered users if their details have been compromised in corporate or website hacks:

Earlier in 2017 it exposed SA’s latest major data breach after Ster-Kinekor’s website was hacked in 2016, exposing more than 6-million accounts including 1.6-million unique e-mail addresses.

Discovered among a large dump of other breaches, Hunt said he was able to identify it as South African source by the personal address details, reports Tech Central:

He said that to date he hasn’t seen it offered for sale, but that “it is definitely floating around between traders”.

The actual data includes information from at least as far back as the early 1990s.

He suspects that the data was probably sourced from a government database, as it included the words “master_deeds”, but other commentators said it might have been a financial institution or credit bureau.

One person, an analyst who spoke to Hunt, told Business LIVE that “his own revealed details were accurate, and appeared to be about five years old based on his income at the time and an e-mail he had not used for about five years”:

“It’s legit. It’s real data. It’s not this guy making it up. It’s personally identifiable data,” said the analyst, who asked not to be named for personal privacy reasons.

He thought it was data from a credit bureau because one of the fields was titled CPC (credit participation certificate) and had a numerical ranking, which he speculated was a ranking of creditworthiness.

“There is no deeds information in it. The headings are there but they are blank,” he said.

Scary stuff.

Hunt explains that although the date of the database file indicates that the breach took place in March 2017, he suggests that it may have happened before.

Now, Hunt is now on a mission to identify the source of the database:

Some of the data headers seem to indicate that the source may be government, but this is not definitive. It may be that this information is from a commercial entity such as a bank or credit bureau.

Once the owner of the data is identified and informed, Hunt will upload the info to his HaveIbeenPwned service (although he notes that the data only includes around 2.2m valid e-mail addresses).

For all you know, your very own data stash might have been hacked and uploaded to some random data dump. You answer? Local information security specialists NEWORDER.

Protecting your data, whether it’s your company’s or personal, is necessary to ensure that no matter where it is stored, inbound or out, it doesn’t fall into the hands of the black hat hackers.

[source:techcentral&businesslive]