Master Deeds data leak contains information about children

If you missed the previous updates, it’s good to read “What should have happened in the Master Deeds leak” and “South African Master Deeds data leaked via MySQL data dump“.

I have asked Troy Hunt last night to run some more queries on the leaked database to establish origin of the data and he has updated his research. A quick run down of what happened:

My initial assumption was that the Master Deeds data leak only contained commercial information of people owning homes or having a credit record or having transacted with financial institutions. It is quite common for credit bureaus to share information for credit vetting purposes and consumers in South Africa typically consent in one way or another to share their information with 3rd parties.

When I heard from Troy that the leak contained over 60 million records and considering that the South African population is only 56m (census 2016), I immediately felt that the record set contains many duplicates, deceased or at worst contains the whole population register, including minors.

Since the data-set contains a South African ID number (comparable with a social security number), it is very easy to determine the age of the leaked data records by the first 6 characters (the date of birth):

Troy has now confirmed that out of the 66 million records, 57m million where marked as “alive” and 9.3m as “deceased”. Based on the South African ID-number, a minor (younger than 18 years of age) would have an ID number starting with 99 (for 1999) – so someone born on 24th September 2006 would have an ID number of “060924”. Since the year of the ID-number is two digits, it is very possible that “060924” could also be 24th September 1906, but this is very unlikely that the Department of Home Affairs (DHA) has captured records prior to 1940 (and if so, those records would have a low record count).

Troy then proceeded to group the Master Deeds record set by age group which then shows that 12,4m records are of minors:

Looking at a subset of the data you will notice records of children with dates of birth from December 2013 – i.e. “131218” means 18th December 2013 or 18th December 1913 (the latter being very unlikely to exist in a dump):

Did the Department of Home Affairs leak information?

With the above revelation it now becomes questionable how records of children landed up in a commercial data-set and for what purpose. It is quite common for financial sector companies such as banks to have agreements with Home Affairs to do identity verification for fraud prevention, but there should be no reason for children to appear in those records as they would have no commercial agreements.

The South African Department of Home Affairs is the official custodian of all citizen records and would ultimately be the owner/curator of the ID numbers present in the file. There is no doubt that the data was enriched through other sources such as credit bureaus. Where Dracore should be questioned is how ID records of minors landed up in a commercial dataset which was then on-sold to other parties.

I hope that DHA will investigate this and question Dracore and other parties involved on how details of minors were obtained and who has acquired the data-sets and for what purpose.

South African Identity verification “compromised”

This leak of ID numbers and other PII (personal identifiable information) will have long-term consequences for all exposed individuals. South Africa uses the ID number as the primary means of verifications. The Financial Intelligence Act (FICA) relies on it. The RICA (Regulation of Interception of Communications and Provision of Communication-Related Information Act) relies on it to associate the owner of a mobile number to a South African ID. Credit companies need it. So does the South African Revenue Service and literally any other government- or commercial entity in this country.

For years to come, the leaked identity information can now be used for phishing attacks, identity theft and other criminal means. Phishing- and social engineer attacks will dramatically increase due to the content of the data-set and the government and commercial entities affected by this will have a difficult time ahead to legitimately verify the owner of the presented identity information.

Comments from Dracore – legal consequences for Mr. Mohapi

As far as it goes, Dracore has provided some feedback on their website “Is Dracore Data Sciences Responsible For South Africa’s Largest Ever Data Leak?“. A more detailed interview describing the background of how Dracore operates and how the story unfolded is in the soundclip below.

 

Mr. Mohapi has originally broken the story and in the above interview, the CEO of Dracore has indicated that a court interdict will be issued against Mr. Mohapi.

Print Friendly, PDF & Email
  • Lew Skannen

    Gerd, Home Affairs databases, Cipro Databases and Deeds Databases are given to (some) credit bureaus. They merge these databases into their own. I do not believe this database were enriched from other sources. This data source definitely comes from a credit bureau which had access to the whole Home Affairs, Deeds and Cipro databases and also used their own credit information. Whether these databases are given to ALL credit bureaus or simply to some who then share them with others is the big question.

    • Thanks Lew. While I fully understand that sharing of some information is allowed (such as what DHA provides to certain parties as per their agreement), it puzzles me that neither DHA or the bureaus found it important to sanitize data and remove details of minors.

      • Lew Skannen

        Precisely Gerd! One would have thought that they would at least do just that to comply with, especially, the upcoming Popi Act. While I can understand Home Affairs not being affected by the act, hence the reason they do not care about sanitizing the data, one would think the credit bureaus would do it. But, I suppose they won’t either.

  • Emil Schweickerdt

    So… now what now going forward?

    How do you protect yourself from fallout resulting from this mess?

    BAH.

    edit – great job Gerd.

    • Lew Skannen

      Not really much you can do. I would also not be overly concerned about this hack either. What very few people know is that Home Affairs databases are leaking almost on a yearly basis. I have seen the first leaked Home Affairs database back in 2002. Since then, an updated database has leaked almost every year or two. It is not only Home Affairs, but other government, bank, insurance, telecommunications databases that leaks too – some of them leaking more than 2 or 3 times a year. The only thing that sets this leak apart is the fact that it ended up in the media.

      I just think the best way to deal with this is to continue as normal and just keep a regular eye on your credit profile for strange or unknown queries or possible accounts opened.

      • Emil Schweickerdt

        Thanks Lew.

        Forewarned is forearmed.

        • Lew Skannen

          No problem Emil. Sounds a bit harsh, but this is the reality. This is not the first time, second or even fourth time that the whole populations’ data has been leaked. It has happened on numerous occasions. Best we can do is keep monitoring our profiles with credit bureaus in order to identify any possible misuse of our information.