By Annalise Kempen
During mid-October 2017, social media was awash with the news that approximately 30 million South Africans' personal information had been hacked. The breach was revealed by Troy Hunt, an Australian security researcher and creator of the website "Have I been pwned". This website allows people to check whether their personal information has been compromised in a data breach. Once South Africans were informed about the breach, many hastily proceeded to enter their e-mail addresses on the website and got the message "Oh no - pwned!" which made them question what they could do about the fact that their personal information could potentially end up in the hands of cybercriminals.
Following this incident, the Directorate of Priority Crime Investigations (DPCI) (commonly referred to as the Hawks) issued a media statement noting that the Acting National Head of the DPCI, Lt-Gen Yolisa Matakata, had initiated an investigation into the alleged master deeds data breach, which exposed the personal information of millions of South Africans.
The master deeds data breach: background
South Africans who know that their data has been compromised are interested in knowing what information has been compromised, by whom, and ultimately what could potentially happen to their information. In the few weeks since the incident drew media attention, we've learned that Troy Hunt received a 27 GB electronic file named "masterdeeds.sql" in March 2017. This electronic file contains personal records of South Africans including their identity numbers, marital status, employment details, income information, property ownership information and other sensitive information. According to Mohapi (2017), "what is important to note is that this is for both deceased and alive people in South Africa".
Why should we be concerned about the data breach?
Mohapi (2017) notes that Troy Hunt confirmed that the data set contains more than 2.2 million unique e-mail addresses, which is less than 10% of the total unique records in the data set. This makes sense since not every South African whose data has been compromised has an e-mail address and since the data includes that of deceased persons.
We know by now that getting access to an individual's personal information is exactly what identity thieves would pay large amounts of money for. Once they get their hands on such information, they can go about using that data to open bank accounts and other accounts or apply for credit in the name of a victim who is unlikely to know that their personal information is being used to commit identity fraud*. In other words, getting access to such data "makes it a dream for someone or a group of people who trade in identity theft because they not only have your ID number and contact details but your income information too. Making the job of identity thieves, should they get a hold of the data, quite a breeze" (Mohapi, 2017). So, what we as South Africans should be concerned about is what these perpetrators could do with our identity numbers or information about our income or property.
The Hawks' Cybercrime Unit has launched an investigation together with multi-disciplinary stakeholders and other law enforcement agencies in order to establish the extent of the possible breach and to identify any cybersecurity vulnerabilities in terms of critical information infrastructure within government structures.
The extent of cybercrime
In order to determine whether this data breach is regarded as a form of cybercrime, it is important to look at a few definitions relating to cybercrime. Although neither the Cybercrimes and Cybersecurity Bill nor the Electronic Communications and Transactions (ECT) Act 25 of 2002 define cybercrime, the Electronic Communications and Transactions Amendment Act 1 of 2014, attempts to do so. Chapter 8 of Act 1 of 2014 follows a cautious approach by defining "access" which includes "the actions of a person who, after taking note of any data, becomes aware of the fact that s/he is not authorised to access that data and still continues to access that data". The National Cybersecurity Policy Framework (NCPF), which was approved by Cabinet in December 2013, defines cybercrime as "illegal acts, the commission of which involves the use of information and communication technologies".