A database containing sensitive personal data, including South African ID numbers and plain text passwords, was discovered on a public web server belonging to ViewFines last year.
Prior to this, Home Affairs leaked data through a contact form on its website – while a real estate group exposed a database containing a variety of details of essentially every South African in 2017.
Security experts such as SensePost CTO Dominic White told MyBroadband that even a small amount of leaked personal data can empower an attacker to gain access to private information. This can grant attackers access to your accounts, for example.
White demonstrated this by using the leaked information of a coworker to hack into their online medical aid account. This gave him access to the ID numbers and full names of dependents and their recent medical records.
In addition to this, your ID number itself reveals a lot of information about you – as detailed below.
Decoding the ID number
A South African ID number is a 13-digit number which is defined by the following format: YYMMDDSSSSCAZ.
- The first six digits (YYMMDD) are based on your date of birth. For example, 23 January 1988 becomes 880123. Although rare, it can happen that someone’s birth date does not correspond with their ID number.
- The next four digits (SSSS) are used to define your gender, with only the first digit of the sequence relevant. Females have a number of 0 to 4, while males are 5 to 9.
- The next digit (C) is 0 if you are an SA citizen, or 1 if you are a permanent resident.
- The next digit (A) was used until the late 1980s to indicate a person’s race. This has been eliminated and old ID numbers were reissued to remove this.
- The last digit (Z) is a checksum digit, used to check that the number sequence is accurate using the Luhn algorithm.
Before the race group classification was abandoned, this is what digit A in the ID number indicated:
- 0 — White
- 1 – Cape Coloured
- 2 – Malay
- 3 – Griqua
- 4 – Chinese
- 5 – Indian
- 6 – Other Asian
- 7 – Other Coloured
Validating ID numbers
The last digit of a South African ID number is calculated using the Luhn algorithm, which allows for basic error detection.
To check whether an ID number is valid, the Luhn algorithm may be applied as follows:
- Working from the rightmost digit of the number, double every second digit.
- Add the digits of this result together.
- Sum together the resultant digits, with the remaining (odd) digits of the ID number.
- If this sum is divisible by 10 (without remainder), the ID number is valid.
An example of this calculation, using our fictional ID number from before, is shown below:
- Sum: 8 + 7+ 0 + 2 + 2 + 6 + 5 + 2 + 1 + 2 + 0 + 7 + 8 = 50
- 50 ÷ 10 = 5, remainder 0
- Therefore: ID number is valid