Shocking details about data breach in South Africa

Real estate agency Pam Golding may not be entirely forthcoming about how it obtained the personal information compromised in a recent breach of its customer relationship management (CRM) platform.

A security researcher contacted MyBroadband shortly after the incident when she saw that Pam Golding was using an email address for her that they should not possess.

She explained that she had used the email address in question in precisely one place — to sign up for credit bureau TransUnion’s identity theft and credit monitoring service through its MyTransUnion portal.

Pam Golding, South Africa’s largest estate agency, suffered a data breach on Friday, 7 March 2025. It said an unknown third party gained unauthorised access to its CRM system, Alchemy, with an existing user account.

“The information accessed by the threat actor is dependent on the type of information that we have stored on the Alchemy System for a particular client,” the company said.

“For example, your name and contact details, and in some cases, identity numbers.”

Pam Golding sent a notice to people potentially impacted by the breach on 11 March, and MyBroadband was soon contacted by several people who said they had no idea how the company got their contact details in the first place.

When asked about this two weeks ago, Pam Golding explained that every contact who has interacted with the company in any way was stored in its system. This includes every enquiry, evaluation request, or newsletter subscription.

However, the security researcher who contacted MyBroadband says none of that explains how Pam Golding got the address she used to register for MyTransUnion.

She explained that she uses a catchall mailbox at a custom domain, which we will call emailfunnel.com (changed to protect the identity of our source).

The way her domain is configured allows her to receive email to any username in a single mailbox without first having to set up specific aliases.

Therefore, she might use [email protected] as the registered email for her bank, [email protected] for Instagram, and [email protected] for her TransUnion portal account.

She also never sends any email from these addresses. For that, she has a regular [email protected] address.

Imagine her surprise when she received Pam Golding’s incident notification at the “mytransunion” address that she used to sign up for the credit bureau’s services in 2017.

When she searched her inbox for all emails to and from that address, she also found a direct marketing email from Pam Golding Properties, dated 5 September 2024, regarding a property she owns in Cape Town.

She says she never contacted the real estate agency about letting out the property — and certainly wouldn’t have done so using the TransUnion email address.

While the researcher asked to remain anonymous, MyBroadband spoke with her on a video call, and she showed us the search results of her email inbox live via screen sharing.

MyBroadband contacted Pam Golding and TransUnion for more details about how the real estate agency could have got its hands on an email address entrusted to the credit bureau, but both companies hid behind POPIA.

Perversely, the Protection of Personal Information Act (POPIA) is supposed to safeguard South Africans against the mishandling of their data.

“Please note that we can only respond to information regarding the client information and processing directly in terms of the provisions of POPIA,” Pam Golding stated.

“Please advise the client to contact us directly via [email protected] and we will address their query directly.”

MyBroadband then responded to Pam Golding’s feedback, copying in the researcher, and explained that we were given full authority to tackle these questions on her behalf. She replied and confirmed that I was speaking the truth.

“We have noted your email, however, regardless of MyBroadband’s contention that it acts on her behalf, as mentioned in complying with POPIA, we still cannot divulge any private information or engage with MyBroadband on a matter that is a specific client issue,” Pam Golding maintained.

TransUnion’s initial response was to deny any connection between it and the Pam Golding data breach.

“TransUnion South Africa is aware of media reports regarding a cyber incident involving Pam Golding Properties. We have no evidence to suggest that this incident is linked to TransUnion’s systems or data,” the credit bureau stated.

Its denial came despite a detailed explanation of the catchall email inbox and that there was no apparent explanation for why Pam Golding should have an email address the researcher provided only to TransUnion.

Once again, we responded and said we would be happy to provide the evidence as well as disclose the name of the researcher to TransUnion for investigation. They agreed, and responded with the following statement.

“TransUnion has a standard dispute process that we need to follow to assist the consumer further, as we would need to obtain her ID number to access her profile in a compliant manner,” it stated.

Doxxing-as-a-service in South Africa

Without details from Pam Golding or TransUnion about how the researcher’s MyTransUnion portal login email landed in the real estate agency’s CRM system, we are left to deduce what may have happened.

One unlikely option is that Pam Golding obtained data from the 2022 TransUnion data breach and added it to its CRM system. This assumes that the researcher’s email was contained in that dataset.

Another more likely explanation is that Pam Golding queried the data of property owners for a specific building or area, and TransUnion offered up every email address it had for those people.

South African cyber defence specialist Dominic White has warned for years that credit bureaus in South Africa are effectively selling people’s personal data to anyone willing to pay.

Speaking at a past MyBroadband conference, White called it “doxxing-as-a-service”.

He explained that several online services are available in South Africa that allow you to sign up and query the personal information held by credit bureaus for a fee.

While some have safeguards in place that require additional forms to be completed, and ID document scans and proof of address to be provided, these systems are readily accessible to real estate agents and many other people.

Therefore, one plausible explanation for how this happened is that Pam Golding queried the data of every homeowner it wanted to target in a particular area from the deeds office.

It then “enriched” that data by querying those people’s particulars against TransUnion, which duly handed over our source’s [email protected] address.

This is not unlawful under POPIA. In fact, the National Credit Act provides an exemption for credit bureaus to specifically make this kind of activity legal.

White said that this was the heart of the problem in South Africa.

“The legality is only phrased around what the credit bureaus can collect but not on controlling how they disseminate it,” he said.

Feedback from Pam Golding’s information officer to our source corroborates this theory, although they were very careful with their word choice — only saying this “may” have happened.

“There are services available to the industry that provide access to contact information related to homeowners so that we may contact them once to offer services to them in accordance with POPIA,” Pam Golding’s information officer said.

They were providing feedback to the security researcher after she contacted them as directed.

“It is possible that such a service was used by the agent or office in question,” the information officer stated.

They then explained that there was no way to delete your data once they have it, because they must keep a record if you’ve opted out of direct marketing to ensure they don’t violate POPIA by contacting you again.

“Once a client opts out, the information would have been marked as such by the agent on the system, indicating that no further canvassing to the contact may take place,” said Pam Golding’s information officer.

“We retain the personal information only to maintain a do-not-contact list in terms of the guidance from the Information Regulator.”