Millions of South African’s ID numbers and other personal information leaked

Almost 30GB of information that includes roughly 30 million ID numbers, estimated income, age, occupation, previous address and other personal data has been spotted online by data security researcher Troy Hunt. It’s clearly the biggest data leak in South African history, but what’s far less clear is where the data came from, and whether its appearance online is due to malice, negligence or some combination of the two.

Hunt, a Microsoft regional director, tweeted about the find on Tuesday. Hunt is also the man behind the website haveIbeenpwned.com, which lets members of the public check whether their email address has been compromised in publicised hacks. It’s the same site that earlier this year brought the hack of Ster-Kinekor’s website in 2016 to light. That incident exposed millions of accounts and the email addresses associated with them.

On Wednesday afternoon Hunt added the email addresses from the leaked data to haveibeenpwned, so if you want to check if your data is included in the leak head on over. You may need to try various email addresses, though, including ones you haven’t used for a number of years as some of the data dates back to the late 1990s. We can’t remember what our hotmail or rocket mail email addresses were, but perhaps you can?

Initially it was unclear whether the data was legitimate, but numerous South Africans who follow Hunt on Twitter offered to let him compare their information to the leaked info… and sure enough, it’s legit. Given the nature of the information, it appears it may have come from a government database or a bank or other large financial institution.

Whoever turns out to be responsible, this is the sort of record-breaking event we’d all rather hadn’t happened, and highlights the need for better data handling practices and stricter, more punitive regulation when those practices aren’t adhered to.

[UPDATE: Late on Wednesday TechCentral reported that the source of the leak was Pretoria-based real estate holding company Jigsaw.]

It also reminds us that the trend of massive data leaks isn’t going to stop any time soon. More than 140 million US citizen’s social security numbers were leaked after a hack in September, Yahoo had three billion account’s information compromised and dating site Ashley Madison fell victim to hackers in 2015.

What’s the lesson in all of this? Don’t use the same passwords across websites, use strong passwords, and use a service like LastPass to help you stay on top of them. And, of course, local down your LastPass or other password manager with a particularly strong password.