You may be guilty in City of Joburg security leak

Paul Jacobson, managing director of WebTechLaw, warned that unauthorised access to data is regarded as an offense under the ECT Act. This may include viewing unprotected online files, such as the City of Joburg (COJ) ratepayers’ invoices.

On Tuesday, news broke that the City of Joburg exposed their ratepayers’ private invoice information which included names, addresses, PINs, and financial details.

The vulnerability was first reported on MyBroadband’s forum by a concerned citizen after he unsuccessfully tried to alert the city about the problem.

Following the report, many Internet users tested the vulnerability, which means that they accessed private COJ invoices which they may not have been authorised to view.

Jacobson told MyBroadband that the ECT Act regards unauthorised access to data or circumventing security measures as offences, with penalties being fines or imprisonment of up to 12 months.

“So accessing the data, despite the weakness in the system, would still likely be regarded as unauthorised and technically an offence,” said Jacobson.

Jacobson added that accessing the invoices via a Google search may even be illegal.

“An interesting question is whether Google could be liable, although I suspect not because its search activities are largely automated and not aware of authorised as opposed to unauthorised access,” said Jacobson.

Paul Jacobson

City of Joburg comments

Curiously, Richard Nene, the City of Joburg’s director of group and services IT division, said that it was a good thing that the security flaw was highlighted and passed on to the media by a concerned citizen.

Nene confirmed that they were not aware of the security flaw, and that the report helped them to identify the problem and work on protecting their residents’ information.

Not long after Nene’s comments, The City of Joburg’s (COJ) Abraham Mahlangu says that they have opened a police case to investigate how their online billing system was “maliciously hacked”.

Jacobson said that whether it was malicious is a factual question. “I understand this was a white hat sort of thing, so probably no malice, but the fact that the access was unauthorised is the main problem,” he said.

City of Joburg can also be liable

Jacobson said that he thinks the City of Joburg should be accountable for the weakness in the system if it was negligent.

“I can’t believe that a robust and modern Web services platform could allow for such access without someone being negligent,” he said.

He said that there may be a case against the city for exposing its residents’ private data.

“Precisely what the basis of the action against the City remains to be seen, but a good starting point is a violation of citizens’ and companies’ rights to privacy under the Right to Privacy in the Bill of Rights,” said Jacobson.

Other City of Joburg security articles

True story behind Joburg’s online security problems

Joburg online billing system maliciously hacked: CoJ

Massive security flaw exposes Joburg residents’ private info

CoJ statement security problem discussion

City of Joburg exposes private information again