How did it happen that a property company put an estimated 60-million South African’s most sensitive personal information into an insecure database file and on an insecure web server that has now been linked to the biggest data breach in South African history?
How did they manage to collate so much data about us without our permission?
And, as bizarre as it sounds, how is it that they might get off scott-free for exposing potentially all of us to identity theft because the relevant legislation hasn’t been properly implemented yet?
The Protection of Personal Information (POPI) Act 4 of 2013 is an ideal framework to protect our identities in this new digital age. It has a pretty good way to keep us safe from unscrupulous misuse of our personal details, and aims “to introduce certain conditions so as to establish minimum requirements for the processing of personal information,” it reads.
Pity it isn’t fully operational. Even then what happened last week in what’s been named the “masterdeeds” leaks by the man who discovered it, famed security researcher Troy Hunt, wouldn’t be a crime, but you wouldn’t be able to collect all of that data in the first place without our permission.
The name is from the headings in the database that alerted Hunt, who runs the Haveibeenpwned.com website, it might be property related. This was established after the leak was discovered to have been on servers run by Jigsaw Holdings, which owns Aida, ERA and Realty-1.
“Under existing common law, there are implications for companies that intentionally or negligently disseminate private information, but the process is arduous and the remedies are not significant,” said Dario Milo, the astute media law expert and partner at law firm Webber Wentzel. A maximum fine of R10m could have been be imposed if POPI was properly enacted but the necessary regulatory body, the Information Regulator, has only been established this year, despite the Act being enacted four years ago.
After the story broke last week, when Hunt began tweeting about it when he found South African references and email addresses in the 27 gigabyte database file he was sent, I was called by an astonished South African radio reporter working in London. Apart from the obvious “how did this happen” she wanted to know if the police would investigate such a massive data leak that in any other democracy would be swiftly and mercilessly prosecuted for the massive invasion of our privacy that it was. I had to explain that our national head of prosecutions is laughably incompetent and derided as Shaun the Sheep while he pretends the country hasn’t been stolen right under the noses of law enforcement. What chance does a data leak have?
“Under common law there are obligations to not disseminate personal information without consent or other justification,” Milo told me, but the only way to take action would be through a common law breach of privacy claim. The chances of that happening, and windings its way through the courts for years, is as likely to happen as either Presidunce Jacob Zuma or the Guptas paying back the money.
We are left with the terrible reality that all of our most sensitive details have been exposed online to any number of cyber criminals and identity theft could affect all of us. It is simply unbelievable that one company could create such a database without our consent and be so reckless with it.
As Milo says: “In a POPI world, things will be dramatically different”.
This column first appeared in Financial Mail