19 October 2017
Complaint: Massive Breach of Personal Information
To Adv. Pansy Tlakula,
Chairperson: Information Regulator
This week, the public learned of what is probably the single biggest data breach in South African history. This letter serves as an official complaint to the Information Regulator, with a request for your urgent investigation and finding.
On 17 October 2017, security researcher Troy Hunt reported the breach of a database that has now been revealed to contain the sensitive personal information of more than 60 million people, living and dead. The database contains government-issued ID numbers, email address, phone numbers, as well as information about marital status, employment, and property ownership. In total, Hunt has reported that the database contains 60,323,827 rows of data with unique South African identity numbers .
At the time of this complaint, several media investigations have linked the breach to Jigsaw Holdings, a parent company for several real estate firms.
This breach suggests several unlawful acts in terms of the Protection of Personal Information Act (POPIA). We therefore request the Information Regulator to conduct an investigation on an urgent basis to determine:
1. Which persons and companies are responsible for the collection of the personal information contained in this breach?
2. For what purposes was the personal information being used, and were these uses unlawful?
3. For what purposes was the personal information being retained, and was this retention unlawful?
4. Which persons and companies are responsible for the breach of the personal information, and was the database adequately protected?
We are aware that there have been major delays in bringing the Information Regulator into operation, due in no small part to lack of support and action from supporting government bodies. There is simply no more room for delays. Millions of people’s privacy has been breached. The Information Regulator must act, now, to protect them. I trust that you will do everything in your power to act on this breach, now.
– Sent on behalf of Right2Know Campaign
Note to the public: About 2 million of the entries to the database included email address. You can check if your email address was among those records at http://haveibeenpwned.com.