The compromised data includes personal information and medication dispensed to patients (AFP)
In some parts of the interwebs, there’s been a bit of chatter around South African government employees who are possibly browsing a porn forum while on the taxpayers’ clock. A huge data leak last week showed that employee email accounts from four government departments were used to subscribe to porn website, Brazzers.
The justice and correctional services department is just one of the government departments listed in the leak. Others include:
- sars.gov.za (South African Revenue Service)
- lda.gov.za (Limpopo Department of Agriculture and Rural Development)
- hantam.gov.za (Hantam Municipality in the Northern Cape)
But despite the leak linking government employees to the website, the Ministry of Justice and Correctional Services denied that this was the case.
“It needs to be understood that visitors to this offending site need to register with an email address to gain access. During this process it is possible that any email address can be used. This information can even be falsified and does not necessarily depict a connection from either a DoJ&CD employee or infrastructure,” Advocate Mthunzi Mhaga, spokesperson for the justice and correctional services ministry, said.
The website Vigilante.pw notified media of the hack into the Brazzers website, where at least 790 724 unique email addresses and passwords of users from the site’s forum had been leaked. Vigilante.pw is a group that monitors when hacks happen, who is hacked, and the impact of the breach on the privacy of users.
An operator for the website told MyBroadband that the Brazzers leak contained 519 email addresses from South African domains.
“Most of these addresses are co.za. One was from an org.za domain, while four were from gov.za domains,” MyBroadband reported.
The South African Revenue Services (Sars), the Limpopo Department of Agriculture and Rural Development and the Hantam municipality did not respond to questions from the Mail & Guardian at the time of publishing.
The justice department did, however, make it clear they have a strict IT “Acceptable Use Policy” which is meant to “set clear standards for acceptable and considerate use of IT systems and services”. Pornography, according to the department’s guidelines, qualifies as “unacceptable use”. Part of the department’s implementation of that policy includes a ban on pornographic websites at its offices.
“It should be noted that the offending sites cannot be accessed from any Department of Justice location as this, and similar sites, have been blocked. It also need to be understood that visitors to this offending site need to register with an email address to gain access,” Mhaga said.
The department also said that the keyword “brazzers” had not appeared in any subject line in the emails received in the department’s database.
While some users told Motherboard, Vice’s tech culture online magazine, that they had created unique email addresses and passwords to protect themselves as far as possible, the government employees who used their work email addresses to subscribe to the site have put more personal information at risk – like where they work.
The hack was made easy because the website stores user passwords in plain text, rather than saving a representation of a password that is not its actual text format. If the website can email users their exact password, then it’s considered poor practice because it means hackers will be able to access the passwords when they breach the site.
Matt Stevens, Brazzers’ public relations manager, told Motherboard that the problem lied with a third party software used to manage the forums, rather than the Brazzers website itself.
“This matches an incident which occurred in 2012 with our ‘Brazzersforum,’ which was managed by a third party. The incident occurred because of a vulnerability in the said third party software, the ‘vBulletin’ software, and not Brazzers itself.”
Stevens went on to add that only a “small portion” of users were exposed in the leak, but even users who didn’t use the forum had their information compromised.
The justice department said that should any of its employees be found to have breached its IT policy, disciplinary action will be taken.