Data leak on UIF coronavirus relief scheme website

Hanno Labuschagne

Expert Member
Staff member
Joined
Sep 2, 2019
Messages
1,072
Data leak on UIF coronavirus relief scheme website

The Unemployment Insurance Fund (UIF) has made changes to the website for its Temporary Employer-Employee Relief Scheme (TERS) after a security researcher reported a data leak.

This leak allowed anyone to obtain the UIF reference numbers of employers who had been paid out, and look up how much they had been paid.

UIF reference numbers were published as part of a list of paid employers on a website hosted under the Department of Employment and Labour’s domain.
 

dgcarter

Well-Known Member
Joined
May 7, 2006
Messages
343
See what happens when I ask for money back from my government... I no longer exist.

Annotation 2020-05-27 162227.jpg
 

Vis1/0N

Expert Member
Joined
Mar 10, 2009
Messages
2,038
This leak allowed anyone to obtain the UIF reference numbers of employers who had been paid out, and look up how much they had been paid.
Strange, I thought it was a feature. Until the ID numbers was implemented we used it to help a few people with shady employers to prove that the company was either paid out Rx and should not have been delaying the transfer to the beneficiary. Or to backtrack from the DoL PDF file to explain ( via an excel file) exactly how the calculation was done.

It was useful and transparent, I did not consider it a leak.
 

jammio

Senior Member
Joined
Nov 14, 2007
Messages
633
ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: https://uifecc.labour.gov.za/covid19/csvCapthaChecking

Connection to 10.128.99.11 failed.

The system returned: (60) Operation timed out

The remote host or network may be down. Please try the request again.

Your cache administrator is webmaster.


Generated Wed, 27 May 2020 15:21:15 GMT by revproxy.labour.gov.za (squid)
 

cavedog

Honorary Master
Joined
Oct 19, 2007
Messages
17,859
I don't understand how that is a data breach?

I looked through the data while ago and apart from the UIF number there were no sensitive information released. They had included the uif number, name of the company, number of employees claimed for and date the claim was processed.

What is wrong with that info? Yes you could look up how much the company got paid out. You can look up what you have been paid out with id number. What are hackers and scammers going to do with that info?

Am I missing something?
 

Daruk

Honorary Master
Joined
Jul 18, 2008
Messages
46,204
What is the point of being able to download this list of 120K paid employers?
I assume someone did the honourable thing and pastebin'd it before they bin'd it LMAO.
 

|tera|

Master of Messengers
Joined
Mar 31, 2006
Messages
22,588
I don't understand how that is a data breach?

I looked through the data while ago and apart from the UIF number there were no sensitive information released. They had included the uif number, name of the company, number of employees claimed for and date the claim was processed.

What is wrong with that info? Yes you could look up how much the company got paid out. You can look up what you have been paid out with id number. What are hackers and scammers going to do with that info?

Am I missing something?
Preferably nobody should have access to any details, especially if they had an ID number.
 

cavedog

Honorary Master
Joined
Oct 19, 2007
Messages
17,859
Preferably nobody should have access to any details, especially if they had an ID number.
Yeah but the only sensitive info is the UIF number and you can't do anything with it because no ones ID number was leaked. Employees info and stuff weren't leaked.

You could literarily just see how much the company has been paid out. Nothing else. So how do you hack or scam someone with that info?

I would have been concerned if ID numbers, employee salary, company address, telephone number, banking details ect was leaked but a company UIF number. Come on you can't do **** with that.
 

|tera|

Master of Messengers
Joined
Mar 31, 2006
Messages
22,588
Yeah but the only sensitive info is the UIF number and you can't do anything with it because no ones ID number was leaked. Employees info and stuff weren't leaked.

You could literarily just see how much the company has been paid out. Nothing else. So how do you hack or scam someone with that info?

I would have been concerned if ID numbers, employee salary, company address, telephone number, banking details ect was leaked but a company UIF number. Come on you can't do **** with that.
My view is, the more secure the better.
No reason exists for the UIF numbers being viewable by anyone.
 

Daruk

Honorary Master
Joined
Jul 18, 2008
Messages
46,204
Yeah but the only sensitive info is the UIF number and you can't do anything with it because no ones ID number was leaked. Employees info and stuff weren't leaked.
It doesn't have to be personally identifying info. Any info that shouldn't be released shouldn't be released for a reason. Bad actors don't harvest everything from one pool. Often there are a few sources they use to build a profile or gain trust of someone with the keys. It's actually incredibly easy for them sometimes.
 
Top