The sensitive private information of 30 million South Africans, contained in a massive data breach, appears to have been hacked from a credit bureau.
This is according to Australian Microsoft regional director, Tory Hunt, who exposed the leak on Twitter on Tuesday.
Hunt is also a security researcher and creator of the website HaveIbeenpwned.com. The website allows people to check if their personal information has been compromised.
Earlier this year the site exposed the hacking of Ster-Kinekor's website, which put more than six million accounts at risk, Business Day reported.
Hunt said on Twitter on Wednesday that the data breach "is one of the worst I've ever seen on many levels". He said the file date on the data was April 2015 and that it was unclear if it had been exposed since then.
Hunt said the database contained names of people, their gender, ethnicity, home ownership and contact information. The data also contained people's identity numbers and other information, such as their estimated income, directorships and employer information.
He said on Tuesday that the information appeared to be from a government agency. The title "masterdeeds" led him to initially suspect that it had come from the Deeds Office.
However, that theory has since changed and it is believed that it came from a local credit bureau which collects personal information.
Investigation
The Department of Rural Development and Land Reform said they have noted the claims of hacking and the alleged accessing of Deeds Registry information. They said they were looking into the matter.
Online publication iAfrikan said the data was still available publicly on the internet for anyone to download and that the information related to South Africans, both dead and alive.
The publication named a credit bureau, which has a database of information and consumer contact details, that they believed was involved.
iAfrikan also quoted Hunt saying that the data company had "f***ed up" on a large scale.
"They've collected an enormous volume of data and I'm not sure if the owners of that data ever gave their consent... They then published that data to a web server with absolutely zero protection," Hunt said.
He said there would be huge fallout from the breach.
Some publications named data company Dracore Data Sciences and Govault as the source of the leak.
But the company told News24 that they were not responsible in any way.
The law firm K Jordaan and Associates Inc sent a letter, on behalf of Dracore Data Sciences, demanding a retraction.The letter said that headers and a paste bin link sent to them from the data leak did not refer to Govault.
It added that an IP address provided was for a South African real estate business.
An analyst also told Business Day the information appeared to be from a credit bureau "because one of the fields was titled CPC (Credit Participation Certificate)". They said the data appeared to be accurate and was from about five years ago.
Toby Shapshak from StuffSA said on Talk Radio 702's The Money Show on Tuesday night that the data had very personal, sensitive information and, even though it was from a few years ago, information such as ID numbers and employment history did not change.
He described it as terrifying and South Africans should panic because anyone intent on stealing identities can easily access, buy and use the data.