Gautrain-linked site in massive data leak
At least 40,000 South Africans appear to have submitted their private details to Gautraincard.co.za to “apply for the purchase” of a new Gautrain Gold card, which the site then exposed to anyone on the Internet.
Details exposed are full names, birth dates, ID or passport numbers, postal addresses, e-mail addresses, and telephone numbers.
Gautrain Gold Cards are the proximity cards used to pay to ride on the Gautrain.
MyBroadband was provided with proof that it is possible to view the personal details of people who registered on the site, with one user whose details were exposed confirming that they had indeed registered on GautrainCard.
Queried about the site, a spokesperson for the Gautrain Management Agency (GMA) said they did not operate any sites like Gautraincard.co.za.
The only legitimate method to buy a Gold Card is at a Gautrain station, and Gautrain does not request users to provide their personal details online, the spokesperson said.
Enterprise Outsourcing Solutions (Pty) Ltd, the company listed as the registrar of Gautraincards.co.za, was also contacted for comment.
Gautraincard.co.za screenshot
It is understood that this company is a subsidiary of EOH Holdings Ltd., and the phone number listed in the website’s registration also connects to EOH’s switchboard.
However, EOH also said it had no knowledge of the site, could not provide any information about it, and directed queries to the website owner, which is listed as Bombela Operating Company.
Contacted for comment, the Bombela Operating Company disavowed all knowledge of the site, saying that websites and marketing are not their domain and directed all queries to the Bombela Concessions Company.
MyBroadband tried to contact the Bombela Concession Company as requested, but no one could be reached who could answer questions about the site.
With the assistance of the Gautrain Management Agency, the correct people at Bombela were eventually alerted to the issue, with subsequent response indicating they are looking into the matter.
Another company linked to the GautrainCard site is 3G’s Digital, which is credited in the footer with the site’s design and development.
3G’s lists Ricardo Pieterse as its contact person, and the 3G’s website is also registered in Pieterse’s name.
Queried about Gautraincard.co.za, Pieterse confirmed that he had designed and developed it under contract by Bombela. He requested that further questions be sent to him by e-mail.
MyBroadband asked about the privacy concerns raised, but Pieterse directed further queries to Errol Braithwaite at Bombela.
Braithwaite is the person at Bombela who the Gautrain Management Agency alerted about the issue, but feedback from Bombela was not immediately forthcoming at the time of writing.
This article was first published on MyBroadband.
More on security
South Africans don’t trust online security
SA banks confirm losses from massive security leak
Loading ...