I have a deeply rooted personal interest in data security, as I have been the victim of identity theft myself. With the news that broke this week of the “masterdeeds” leak in South Africa, I feel a renewed paranoia of the theft that took place against me a few years back.
What is it?
The leak appears to have been a dump from MySQL, hosted on a webserver that had directory browsing enabled. A perfect storm that should never have happened. That aside, I thought I would focus on what you can do to protect yourself a little going forward. I did a little digging, and while I haven’t seen the data contained in the tables, I have seen the column names that were posted by the original news-breaker. I can’t go into complete detail as I don’t have any, but some of the more concerning columns are as follows:
- ID Number
- Age Group
- Population Group
- Marital Status
- LSM Group
- Estimated Income
The above details are potentially followed by details of people’s last three employers and addresses, as well as property transfer dates and details (including bond amounts and prices). I don’t think I need to go into too much detail as to how harrowing it is that these details are out there, for both living and deceased persons. It is like a playbook of the information you do not wish to leak, and a recipe book for perpetrators of identity theft! I say potentially, in that at least some of the data seems to be incomplete, with email addresses missing and so on, however there are still over 60 million records in the table.
Was my information leaked?
The website “have I been pwned” has had the email addresses from the database uploaded, and you can check there whether your email address is part of the leak. I’m sad to say, however, that even if your email address is not in the leak, your other information may well be. So what can you do going forward? Let me condense a bit of information from my previous posts on my identity theft.
What to do?
Firstly, register with one or more of the credit bureaux. With most, you get a free report per year. I would however recommend signing up for notifications about your credit record and ratings. This service is under R300 per year with Experian. I have listed the details of the different bureaux at the end of this post. If you see that you have incorrect information, you can log a dispute using the information listed in part 3 of my previous posts on the matter. It is quite a process, but worthwhile for sorting out your records.
Should you see that you have been the victim of identity theft, follow the below process:
- Alert your bank immediately. I recommend being subscribed to any SMS notifications your bank may offer. If you’re fast enough, the amounts may be reversed immediately (you’ll need to get to the bank the same day).
- Draft affidavits to each credit provider stating that you have been the victim of theft, include your ID number, address, contact details, along with the details of how you came to know you have been targeted. This must be signed by you and a commissioner of oaths (available at the police station).
- Contact SAFPS (details at the end of the post) and inform them that you have been a victim of identity theft. They will put on temporary protection at this stage, get a reference number for this.
- Get hold of each credit provider where accounts have been opened. Ask to speak to the Risk or Fraud department, and state that you’ve been a victim of identity theft.
- Submit your affidavits to each provider, and request a confirmation from each credit provider that the accounts have been stopped or blocked, and you are listed as a victim. Provide the SAFPS reference number you would have received in point 3 above.
- Register for your credit record from the bureau of your choice. Here you’ll see any applications that have been made. The trick is now to contact a provider where the culprit has been unsuccessful.
- Ask for a “Letter of Attempt” from the Risk or Fraud department of the provider detailed in point 6, and
- Submit this letter to SAFPS to kick in more permanent protection. This protection will last 10 years and makes your life a little more difficult when applying for things, but a lot easier in that you’re not as likely to be defrauded. More details on part 3 of my previous posts.
- Start the long and arduous process of clearing your credit records with the bureaux below.
I hope this gives a glimmer of assistance and hope to anyone who may fall victim. There is light at the end of the tunnel, just keep at it. Details for the various bureaux and SAFPS are below, as promised.
Compuscan My Credit Check
The South African Fraud Prevention Services
0860 101 248
Going forward, we as South African’s will have the Protection of Personal Information Act (POPIA). This act aims to protect our personal data and hold responsible parties accountable for looking after our data. Find out more in the video below.