News
How safe is your data online?
Less than eight months since almost 60 million South African identity numbers were shared publicly online, another data leak that’s potentially far worse has occurred. Just how safe are our own community’s databases?
JORDAN MOSHE
The latest leak is from South African traffic fines online payments website, ViewFines. The personal records of 934 000 South African drivers stored on the system have been leaked into the public domain.
The leaked information contains national identity numbers as well as user passwords for the website. Alarmingly, experts found that these passwords were stored in plaintext, meaning that anyone with access to the exposed database could obtain further personal user information, including vehicle and traffic fines information.
According to Troy Hunt, an Australian security consultant who worked with media outlet iAfrikan in looking into the data leak, the incident has highlighted how vital it is to improve security measures and enforce South Africa’s Protection of Personal Information Act properly.
“The breach highlights the poor security practices of both start-ups and established companies, which think a great idea is all you need to start an online business,” technology expert Arthur Goldstuck says. “Any new product or service must be designed with trust as the central component. This, in turn, results in a focus on issues like security, privacy and data protection.”
The incident raises questions about the security of our community’s own databases, and perhaps forces us to consider just how safe our own information really is.
Although it was established that major community organisations do maintain large databases, information about their security has been difficult to glean.
At the time of going to print, no response had been received from the office of the Chief Rabbi, while the SA Zionist Federation confirmed that it does keep a secure database, saying it is isolated on its own server for security purposes.
Wendy Kahn, national director of the SA Jewish Board of Deputies (SAJBD), says that no official communal database exists at a national level. She did mention, however, that the Cape Town community has a comprehensive database of the community.
“The United Jewish Campaign in Cape Town actually houses a very important database, known as the communal registry,” says the director of SAJBD Cape Town, Joshua Hovsha. “It serves as a voter’s database for community elections, ensures receipt of the Cape Jewish Chronicle and is used for emergency contacts. It is also carefully curated and protected.”
The Chevrah Kadisha confirmed that it maintained its own secure database. The developers of the security measures, Glen Chalmers and Allan Samson, said: “Our data is secured behind three separate firewalls. From the top levels of the CEO and CFO, security is a primary concern.
“The IT department here is extremely security conscious and believes that data security is a frame of mind, more than just making sure that a box is kept safe.”
They explained: “We maintain strict control over who has access to the database, which is only accessed in-house. External access is made very difficult, as we ensure that all data is encrypted and secured with multiple passwords.”
In light of this, just how secure is your own personal data? Using search engines on websites such as “have I been pwned.com”, you can establish if your email address has been leaked from any one of the sites or online services to which you have signed up.
According to the site’s statistics, 284 websites have experienced data leaks, with 5 044 555 541 email addresses leaked across the internet worldwide. Among those sites affected are Adobe.com, which lost 153 million addresses in 2013 in a breach; and LinkedIn, which had 164 million addresses and passwords exposed in 2016.
South Africa-based databases like Ster-Kinekor and the Master Deeds website have been targeted. The former lost over 1.6 million unique email addresses in 2016, and the latter leaked names, addresses, ethnicities, genders, birth dates, government-issued personal identification numbers and 2.2 million email addresses last year.
Although we may be powerless to ensure the safety of our information on any online platform or database, we can take steps to minimise risks and enhance our digital security.
“From a consumer perspective, the breach highlights the need to be cautious whenever signing up to an online service,” says Goldstuck. “Sometimes one is willing to hand over personal data in return for the utility or service being offered.
“The central rule in any online activity involving a log-on is to use a different password for every site or service one uses. The reason is that cyber criminals will take user names and passwords from the breach of a seemingly innocuous site and try them across banking and social media sites, which can result in massive damage,” says Goldstuck.
“The key is to come up with a system that allows you to create unique passwords, but ones that you will remember, based on your system and attributes of each site.”