A traffic fine platform has leaked sensitive personal data of nearly 1 million South Africans.
The information included full names, national identity numbers (ID numbers), email addresses and passwords. All the personal information was unencrypted (stored in plain text format).
Australian Security researcher Troy Hunt, who runs the website Have I Been Pwned? worked with Tefo Mohapi from iAfrican on the leak.
Mohapi reported that the personal data of 934,000 South Africans was discovered on a public web server belonging to a company responsible for handling electronic traffic fine payments in South Africa. The information was easily viewable. Mohapi explained that it seemed as if a backup was saved in a publicly accessible directory.
South Africans that have registered on an online system that enables notifications and payments of traffic fines have been advised to change their passwords immediately. As is often the case (but not good practice) people tend to use the same password for multiple accounts.
“This one incident has likely already led to multiple other breaches of online accounts due to that reuse,” said Hunt.
All relevant authorities, including the Hawks and the NPA Cybercrime Unit, have been notified.
This is another massive data breach impacting South African residents. In a similar breach in October last year, the personal information of 60 million South Africans was exposed. This data included information relating to property ownership, employment history, income and company directorship as well as 30 million unique ID numbers. The information appeared to be from a credit bureau and was publicly accessible for 3 years before the breach surfaced and any action was taken.
It is unacceptable that personal information is treated in this manner. There are effective and simple to use technologies available to protect information. In this day and age, no data should be stored unencrypted-in plain text! By encrypting the data incidents such as these are easily avoidable.