Hawks to investigate massive data leak

More questions than answers are circulating after it was discovered Jigsaw Holdings may be responsible for tens of millions of South Africans’ ID numbers, banking details and home addresses being uploaded to an unsecured server – and now the Hawks are stepping in.

“The acting national head of the Directorate for Priority Crime Investigation [DPCI], Lieutenant-General Yolisa Matakata, has instructed an investigation into the alleged Master Deeds data breach, which exposed the personal information of millions of South Africans,” Hawks spokesperson Brigadier Hangweni Mulaudzi told The Citizen.

“The Hawks typically does not comment on ongoing investigations, however, in light of the intense public interest and the potential impact of this matter, the Hawks are collaborating with other law-enforcement agencies and stakeholders investigating the data breach.”

Mulaudzi said the scope of the investigation would not be discussed yet.

“However, the Hawks’ Cybercrime Unit is leading the investigation. Lieutenant-General Matakata has instructed that investigators spare no effort in their probe and in enforcing the law to the fullest extent against anyone who is found to be at fault.”

The Citizen has approached Jigsaw Holdings for comment.

The company receptionist promised to call back yesterday, however, this has not happened, and the Jigsaw website appears to have been taken down.

Troy Hunt is an independent web security specialist, based in Australia, and it was thanks to him the leak was revealed.

He runs a free service called “Have I Been Pwned” (HIBP), which aggregates data breaches and currently contains about 4.8 billion records from these incidents.

“In simple terms, this means that when there’s a hack of a service like Dropbox, LinkedIn or MySpace and the data is published online [as each of those was last year], supporters of HIBP frequently send that data to me so that I help people impacted by the incident learn of their exposure,” Hunt explained on his website, troyhunt.com

“On March 14 this year, someone sent me a 27-gigabyte file called ‘masterdeeds.sql’, which was a MySQL database backup file. There was nothing immediately remarkable about it; there was no clear indication of a source [many similar examples include the source website in the file name], and there were “only” 2.2 million email addresses in the file [I was dealing with breaches containing tens or even hundreds of millions of records at the time]. It went into an archive folder with literally hundreds of other similar files which, time permitting, I’d come back to and review later.”

Later being this month, he began trying to import the file to his laptop.

“The import runs for several days until eventually last Sunday, I had to get on a plane to head interstate and run some training, which meant turning off the machine and ceasing the process. It stopped after importing 31 631 992 records,” Hunt said.

“The morning after my original tweets seeking support, I had a number of emails from Tefo Mohapi of iAfrikan. Tefo had done some great investigative work in an attempt to track down the source of the data which he later covered in two stories. The first was ‘South Africa’s Largest Ever Data Breach’, in which he identified a company named Dracore as a possible source,” said Hunt.

“During his investigation, Tefo was contacted by an individual going by the name of Flash Gordon on Twitter. It turns out it was this person who originally located the data, and I was able to date when I received it by looking back at my DMs with him or her. ‘Flash’ was also able to advise that alarmingly, the data was still publicly exposed 7 months on from when they’d originally located it,” said Hunt.

According to him, ‘Flash’ had found the 27GB file sitting on a “publicly facing web server”, which means anyone with Google or similar could go to that address and see all the files hosted on the site.

“The Master Deeds file had a ‘Last modified’ date of 8 April 2015; it could have been exposed since that date,” Hunt noted.

“This is really alarming because it means at the absolute least, the data was left open to the public for seven months. At worst, it was 2.5 years if we go all the way back the ‘Last modified’ date in early 2015. In fact, it could have been exposed for even longer because that’s just the date it was last changed, not when it was created and not when it was necessarily placed on that server.”

Hunt said he had loaded the 2.2 million unique email addresses in the data set into HIBP. You can search for your email there now, and it will give a yes or no answer as to whether it exists, but obviously the addresses only represents a small portion of the overall data set.

“I do not have any plans to make the personal identification numbers searchable. Given the sensitivity of that data, it’s not information I want to be responsible for managing on a service like this. However, given the size of the data as compared to the population of South Africa, there’s an extremely high likelihood that anyone with an ID is in the data set.”