'Nearly every citizen' in South Africa at risk after 60 million records leak online

A "significant proportion" of South Africa's citizens have been left open to cyberattacks after one of the biggest data breaches to ever hit the country leaked their personal details online.

Troy Hunt, a security researcher, said in a blog this week (19 October) that the full leaked database contained at least 60 million records. The number was higher than the country's estimated population (56m), as it contains files on people both alive and deceased.

"South Africans living abroad may also account for the high number," he wrote. "The only thing we can confidently conclude is that the data represents a significant portion of the country."

Local media outlets have reported that the full extent of the incident is now under formal investigation by South Africa's Department of Home Affairs.

TimesLive found that the database contained records of the country's president Jacob Zuma, finance minister Malusi Gigaba and police minister Fikile Mbalula.

The leaked information contained citizen ID numbers, names, genders, martial statuses, home ownership information, employment details and income data.

According to Hunt, the 27GB-sized chunk of data could have been available online since April 2015.

Such information, if in the hands of hackers, could leave citizens at high risk of cyberattack – be it via highly targeted email campaigns or sophisticated social engineering scams.

Hunt told TimesLive that the leak appeared to impact "almost every living person" in South Africa. He was quoted as saying: "Every person that I have checked that sent me their ID number, I have found a record for. That is very concerning."

The breach was first reported by Tefo Mohapi, founder & CEO at tech and media website iAfrikan. It has been loaded into the breach notification service Have I Been Pwned, a website which lets potential victims of leaked information check if their details were exposed.

The data has now been taken down from the website where it was hosted, Hunt confirmed.

He wrote: "I have absolutely no idea how far this has spread. What I can say with confidence though is that people are constantly scanning the web looking for precisely this sort of data."

Who is responsible?

The database has been linked to a property company called Jigsaw Holdings Ltd, which had domains registered by a man called Hano Jacobs. One of his domains was "govault.co.za", an online platform linked to a Johannesburg-based data firm called Dracore Data Sciences.

Govault was marketed as a "goldmine" of citizen data that offers "easy access to the contact details of South African consumers and homeowners" and targeted at estate agencies.

Jacobs' Twitter profile contained a link to the (now-removed) domain "realty1ipg.co.za", an estate agency based in South Africa. Dracore Data Sciences, which has admitted previously working with Jacobs in the past, has claimed the "source of the data" was a Jigsaw Holdings server.

The full business relationship between the firms – and where blame lies – is yet to come to light.

Hunt said that there are a total of 2.2 million email addresses which have been loaded into his website, but warned that "tens of millions of actual identities" are in the complete database.

"A question that must be asked is whether South Africa wants private organisations like Dracore (allegedly) collating this much information about its citizens," he wrote the blog post.

"To the best of my understanding, this wasn't done with consent; people didn't willingly provide their data for 'enrichment' purposes.

"Now maybe that's still a totally legal activity on their behalf, but is it really in the country's best interests for an organisation to collate and then sell data to other parties in this fashion?

"The potential ramifications are now becoming clear."