Massive privacy, security flaw with Gautrain-linked site

At least 40,000 South Africans appear to have submitted their private details to Gautraincard.co.za to “apply for the purchase” of a new Gautrain Gold card, which the site then exposed to anyone on the Internet.

Details exposed are full names, birth dates, ID or passport numbers, postal addresses, e-mail addresses, and telephone numbers.

Gautrain Gold Cards are the proximity cards used to pay to ride on the Gautrain.

MyBroadband was provided with proof that it is possible to view the personal details of people who registered on the site.

We contacted one user whose details were exposed and they confirmed that they had indeed registered on GautrainCard.

Gautraincard.co.za screenshot

Queried about the site, a spokesperson for the Gautrain Management Agency (GMA) said they did not operate any sites like Gautraincard.co.za.

The only legitimate method to buy a Gold Card is at a Gautrain station, and Gautrain does not request users to provide their personal details online, the spokesperson said.

Enterprise Outsourcing Solutions (Pty) Ltd, the company listed as the registrar of Gautraincards.co.za, was also contacted for comment.

It is understood that this company is a subsidiary of EOH Holdings Ltd., and the phone number listed in the website’s registration also connects to EOH’s switchboard.

However, EOH also said it had no knowledge of the site, could not provide any information about it, and directed queries to the website owner, which is listed as Bombela Operating Company.

Contacted for comment, the Bombela Operating Company disavowed all knowledge of the site, saying that websites and marketing are not their domain and directed all queries to the Bombela Concessions Company.

Gautraincard.co.za registration page screenshot

MyBroadband tried to contact the Bombela Concession Company as requested, but no one could be reached who could answer questions about the site.

With the assistance of the Gautrain Management Agency, the correct people at Bombela were eventually alerted to the issue, and we were told they are looking into the matter.

Another company linked to the GautrainCard site is 3G’s Digital, which is credited in the footer with the site’s design and development.

3G’s lists Ricardo Pieterse as its contact person, and the 3G’s website is also registered in Pieterse’s name.

Queried about Gautraincard.co.za, Pieterse confirmed that he had designed and developed it under contract by Bombela. This seems to be confirmed by the fact that there is a link to the GautrainCard website from the main Gautrain website.

Pieterse requested that further questions be sent to him by e-mail and when MyBroadband asked about the privacy concerns raised, he directed further queries to Errol Braithwaite at Bombela.

Braithwaite is the person at Bombela who the Gautrain Management Agency alerted about the issue, but feedback from Bombela was not immediately forthcoming by the time of publication.

Update: Braithwaite has provided the following statement on the issue.

We have engaged with the sub-contractors who developed and maintain the site and will revert to you with a full response as soon as it is available. In the interim we have insisted that the site is immediately quarantined with no public access until it’s security is fully verified.

At this stage it is still unclear what the exact nature of the problem was and whether the site was the subject of a cyber attack.

We have requested an urgent report on whether anyone’s personal data integrity was in fact compromised. What we do know is that no ones personal data stored on their Gautrain Gold Cards has been compromised or altered in any way.

More Gautrain and SA information security news

Beware of this banking scam in SA: Sabric

Did SA government blow €2-million on spyware?

Mass hacking of South African websites

Gautrain app developer access blocked