We have been able to confirm that South African traffic fines online payments website, ViewFines, is the source of the data leak of personal records of 934,000 South African drivers. Troy Hunt, an Australian security consultant and founder of haveibeenpwned who worked with iAfrikan in looking into the data leak, has also been able to positively identify the leaked database as belonging to ViewFines.

Before publishing this article, iAfrikan has been trying to alert Stephen Birkholtz, who is listed as the person who registered the domain as well as Operations Manager at Aggregated Payment Systems (Pty) Ltd (APS) with no success since 23 May 2018. This is despite read receipts that Birkholtz read e-mails and WhatsApp messages sent and after not answering calls since the 23rd, Birkholtz mobile phone has been off as of the morning of 24 May 2018.

"It was found on a web server belonging to a company that handles electronic traffic fine payments in SA [South Africa]. Was once again a case of someone enabling directory listing/browsing where their "backups" were saved and this just so happened to be part of it," said an anonymous contact tipping off iAfrikan on the data leak.

What is alarming, beyond that the leaked database also contains national identity numbers of over 900,000 South Africans, is that user passwords for the ViewFines website are stored in plaintext. This allows anyone with access to the leaked database to obtain further personal data of the users including among others their vehicles and traffic fines information.

The database contains columns for the following, among others:

Unique ID - system generated ID

ID Number - 13 digit South African National ID number

Full Names

Surname

Mobile Number

Total amount of outstanding traffic fines

E-mail address

Password - ViewFines.co.za password stored in plaintext.

"The website provides secured access to all outstanding offenses issued by the listed Municipalities which were registered against your ID number. The registration provides you absolute security, and access is only allowed by ID and your personal password. No other member of the public can access your outstanding offence information," reads a statement on the ViewFines website.

Collateral damage

ViewFines also states on its website that it counts among its partners and clients companies and organizations such as Standard Bank, ABSA, South African Post Office, and many municipalities including metro municipalities like Ekhuruleni and Nelson Mandela Bay. This is further confirmed by information shared by Aggregated Payment Systems (Pty) Ltd, company that owns ViewFines, on its LinkedIn page when it states that:

APS is a database of outstanding fines collected on behalf of contracted service providers, from Municipalities, Provinces or any Law Enforcement body, for the verified payment of Traffic Fines.

APS have contracted with the following 7 major Service Providers:

3 of the largest banks in South Africa – First National Bank, ABSA and Standard Bank; providing payment facilities through ATMs, Cell Phone Banking, Over-the-Counter and Internet payments;

The South African Post Office with more than 1500 online branches countrywide;

Retail Service Providers EasyPay and [email protected] with thousands of outlets via Pick & Pay, Shoprite Checkers, Spar and many other retail outlets;

Internet payments through Standard Bank, ABSA or the www.Payfine.co.za website.

34 Law Enforcement Agencies are currently contracted through the abovementioned service providers, where APS aggregate the traffic fines daily and provide a 24 hour / 7 days a week facility at Internet Solutions in Johannesburg.

At the time of publishing, and after iAfrikan contacted and engaged the banks and municipalities mentioned by APS, some of the organizations who got back to us could not provide us with an official statement and we will provide updates once the nature of the relationships ViewFines/APS has with them becomes clear. This is important because, depending on the nature of the relationship, the could be other information security risks and concerns given how ViewFines data was leaked but also how the website doesn't handle data over a secure connection as Hunt has pointed out to iAfrikan.

"They’re [ViewFines.co.za] not serving content over a secure connection, but the certificate they have on their site is also broken," said Hunt.

Furthermore, Hunt explained that ViewFines' certificate was "issued on 8 May but then revoked on 11 May with a reason of 'cessationOfOperation'."

The leak, just like South Africa's largest data leak in 2017, highlights the importance of the country needing to have a fully functional Information Regulator who will be able to act on and enforce the countries Protection of Personal Information Act (POPIA).

Those who want to check if their data has been leaked can verify this on haveibeenpwned.

Update

23 May 2018 - 934,000 personal records of South Africans have been leaked publicly online (including ID numbers). Link

28 May 2018 - ViewFines has admitted to publishing the now leaked database relating to personal records of 934,000 South Africans, publicly online. Link

29 May 2018 - Just under a week after iAfrikan reported on the ViewFines data leak, the company has sent a warning e-mail to its users.







30 May 2018 - Here are some of the shocking things we discovered about the ViewFines website (before they shut it down). Link