Earlier on 18 October 2017, the team at iAfrikan and I published all the details we knew at the time regarding what we thought was South Africa’s largest-ever data breach. This was after I had called Troy Hunt, the security consultant, researcher and founder of have i been pwned?, who had initially discovered and announced the data breach.
“I typically receive many files relating to data breaches daily but what struck me about this one was that it was 27GB in size,” explained Hunt in a conversation with iAfrikan.
The data included the records of at least 30 million South Africans, but the actual number might be much bigger. However, one major question was yet to be answered in our original article — Who was breached and where did all of this personal data come from?
What kind of data was breached?
The breached data, which sent to Hunt in a file titled masterdeeds.sql, contains information ranging from ID number, marital status, income, company directorships held (and previously held), employment details as well as property ownership information. This includes information on people in South Africa both alive and deceased; when this article was published on October 18, the public database backup file (and a smaller compressed version), were still available publicly on the Internet for anyone to download.
Due to the immense size of the data, Hunt hadn’t completed importing all of the data into MySQL, but it’s clear that at least 30 million unique records were involved and the number is likely to increase. The personal records contained in the file seem to, at a minimum, date back to the late 1990s.
I say at a minimum because based on a query using my South African ID number, it had employment details of my first ever job as an intern in 1998 (contact details too)!
Connecting the dots
In our original article, I narrowed down the possible victim of the breach to either a credit bureau or a data aggregation company, which is where I chose to start digging. One the largest credit bureaux in South Africa is TransUnion, which is where I kicked off the investigation.
Looking into whether it was TransUnion that was breached led me to Dracore Data Sciences which lists TransUnion as one of its clients. What I omitted in the initial article for brevity is that after looking into Dracore, I first checked their GoVault platform as it’s advertised as “the goldmine of information offers easy access to the contact details of South African consumers and homeowners.”
A quick WHOIS lookup on who owns and registered the domain govault.co.za reveals that it’s Hano Jacobs. I called Jacobs and he explained that he doesn’t deal with any business related to GoVault and that his partner, handles that and he would ask them to get in touch with me.
After thirty minutes passed with no contact from Jacobs, I decided to contact Dracore directly. I spoke to Adrian Hamel, who eventually told me to contact Dracore’s CEO, Chamtelle Fraser, directly after I had shared with him the Pastebin dataset details by Hunt.
Jacobs forms a key part of this story because looking at his Twitter profile, you see that he lists the domain realty1ipg.co.za. This domain, and the fact that Jacobs is listed under GoVault’s WHOIS details, suggests he is involved in both the Dracore business and the realty1ipg.co.za business, which is owned by Jigsaw Holdings (Pty) Ltd. All Jigsaw related domain names, including realty1ipg.co.za, are registered under Michelle McCrate’s name, who also is a director at Jigsaw.
Dracore is also known for having a number of clients in the real estate business. This, however, does not necessarily mean they were responsible for the site where the leaked records were found.
Apart from the leaked records, the site also listed folders with names of the various Jigsaw businesses.
Incompetence, negligence, or both?
“They’ve [Dracore] fucked up in a seriously large scale here. They’ve collected an enormous volume of data and I’m not sure the owners of that data ever gave their consent. That may still be legal, but the backlash will be severe. They then published that data to a web server with absolutely zero protection and, of course, unauthorized parties found it. You yourself [iAfrikan] found it very quickly just by searching for it. There is now going to be a very serious spotlight shone on them for the sheer incompetence of their actions and they’re in no position the threaten those who’ve reported this to them responsibly,” said Hunt.
At this stage we can conclusively stop calling it a data hack or data breach, it is more like a leak, and I’m being kind calling it a leak as the DATA IS STILL UP ON THE WEBSITE AS I TYPE THESE WORDS!
Again, at this point, I need to emphasize and state on the record that I am in no way saying that, conclusively, Dracore responsible. I am merely sharing what is publicly available (and yes, all my rights and those of iAfrikan are reserved).
Whoever is responsible, between Dracore, Jacobs, McCrate or anyone associated with them needs to be taken to task. They literally “sold out” South Africa.
At this stage, we cannot and will not reveal any further details irrespective that the information we have is publicly available.
Hunt also shares the same sentiments in this regard, “I would only share the IP address and frankly, anything at all about the data you found once they’ve taken it down. The last thing anyone wants is for it to spread further.”
Just a month ago in the US a credit firm was hacked and exposed over 140 million social security numbers of Americans. You’d think that companies like Dracore (if it is their fault) would have double checked their systems and networks at the time just to make sure they don’t suffer the same fate.
UPDATE: Read Dracore Data Sciences’ response here.