MASSIVE DATA PROTECTION BREACH- 30 MILLION SOUTH AFRICANS

27 gigabytes dump that contained a wide range of sensitive information belonging to South Africans, including citizens ID numbers, personal income, age, employment history, company directorships, race group, marital status, occupation, employer and previous addresses.

MASSIVE DATA PROTECTION BREACH- 30 MILION SOUTH AFRICANS+

WHAT WAS LEAKED:
27 gigabytes dump that contained a wide range of sensitive information belonging to South Africans, including citizens ID numbers, personal income, age, employment history, company directorships, race group, marital status, occupation, employer and previous addresses.
From WHERE? Who is the Source?
The file containing the data was “masterdeeds”, suggesting it may have been obtained from the Deeds Office – the custodian of information about property owners in South Africa?
Information I found on Securityaffairs.co says:
the source of data is the GoVault platform of the Dracore Data Sciences.which counts among its customers TransUnion, one the largest credit bureaux in South Africa.

MOST IMPORTANT Question is WHO ELSE HAS ACCESS TO IT or HAS ACCESSED IT, besides Troy Hunt??
ANSWER:
They’ve [Dracore] messed up in a seriously large scale here. They’ve collected an enormous volume of data and I’m not sure the owners of that data ever gave their consent. That may still be legal, but the backlash will be severe. They then published that data to a web server with absolutely zero protection and, of course, unauthorized parties found it. You yourself [iAfrikan] found it very quickly just by searching for it. There is now going to be a very serious spotlight shone on them for the sheer incompetence of their actions and they’re in no position the threaten those who’ve reported this to them responsibly,” said Hunt when speaking to iAfrikan.
At this stage we can conclusively stop calling it a data hack or data breach, it is more like a leak, and I’m being kind calling it a leak as the DATA IS STILL UP ON THE WEBSITE AS I TYPE THESE WORDS!!!” concluded iAfrikan.

How did he get this info and what else has he done with it? Is he authorised to keep it or must he immediately destroy?
Is it from here? How many South Africans own property, maybe deceased as well?- the data dates back to the early 1990s
The backup file was last modified in March 2017
Who is Troy Hunt and should he be trusted?
Troy Hunt. Troy Hunt is an Australian web security expert. He created the data breach search service Have I Been Pwned?, and authored several popular security-related courses on Pluralsight

What does POPI say about the on-selling of consumer data to data aggregators, without the permission of consumers themselves?

Constitution The Protection of Personal Information Act (POPI) aims to give effect to the constitutional right to privacy by balancing the right to privacy against that of access to information.

Objective: POPI aims to protect the personal information of people (like consumers and employees) so that they do not become victims of things like identity theft, unsolicited marketing and other activity, which can have very serious consequences even possible criminal attacks.

Buying/selling As a general statement, it is not unlawful to buy and sell data, but there are strict requirements when POPI comes into effect. I.e. The “aggregators” as you refer to them, will have to get informed CONSENT from the Data Subject to process the information.
(Informed- meaning with full knowledge of the possible consequences of such consent).

Popi definition: consent_ any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information

Consequences of non-compliance

• Loss of customers and Reputational damage
• Where such was not obtained or you obtained the information unlawfully
• Regulator has the power to issue fines of R10million or 10% of Annual Turnover, whichever is greater or 10yrs in prison or both.

Customers have the right to pursue, over and above Informing the Regulator,
• Class actions can be brought against the responsible party by the data subjects whose information has been unlawfully obtained or compromised where you were entrusted to secure such information.
• Individually you may sue the Responsible party for breach of privacy or

– How should consumers be protecting themselves here?

• Unfortunately right now, it’s a little too late. The water has been spilled.

• The best the Responsible party can do is to upgrade their cyber security.

• They can employ the services of digital forensic investigator to investigate state of the damage and whether certain data may be destroyed in places where it has been leaked.

• Sadly, In so far as the data subjects whose information has been compromised, it’s out there hey.

• On your own part, I would suggest changing all passwords and where possible getting new banks cards as a security measure to ensure confidence.

• Unfortunately there are things you can’t change like: physical address/ ID number. And the fact that someone out there already has your info unlawfully.

• But just in general as a rule of thumb, be more scrupulous about what personal information you give off where and on which websites you plug in your card details.
• When working relationships have ended. Send that email request to have your data deleted.

• Avoid posting specifically identifiable things on social media, like your car registration number, kid’s school, name badges, where you always go to work out everyday, things like that don’t need to be broadcasted.

JUSTIFICATIONS FOR THE INVASION OF PRIVACY:
Neethling identifies the following traditional grounds of justification as relevant to the right to privacy: necessity, private defence, consent to injury, and performance in a statutory or official capacity. Another ground of justification which is relevant to privacy is the protection of legitimate interests, including the public interest.