SSC leak exposes personal info online

PERSONAL information of thousands of people registered with the Social Security Commission (SSC) has been leaked on the internet.

The leak, extracted from the SSC website since Friday, includes private details of clients such as salaries, home addresses and copies of national documents, including ID cards and passports.

The extent of the leak is not yet fully known, but documents seen by The Namibian so far show that the breach of confidential information affects over 2 000 people registered with the national welfare agency.

The SSC, which has over 200 000 beneficiaries, draws its funds from compulsory deductions from every worker who receives a basic salary.

The deductions are to provide a safety net for workers in certain circumstances, such as those on maternity and sick leave, as well as providing a funeral benefit.

The data leak allowed private information to be accessible on the SSC website.

The majority of confidential information, mostly in pdf, Word and spreadsheet formats, was easily accessible for everyone to download through a specific link to the SSC website.

An SSC document titled “Application for registration as a worker” contains most of the private information which was leaked.

That document includes the names, dates of birth, ID card numbers, passport numbers, marital status, residential addresses, cellphone numbers, occupations, dates of employment, monthly incomes, as well as the numbers and ages of children.

When tipped off about the leak, was able to view or download 1 581 client-related files, 260 photos, and 41 other documents from the SSC website last week. Of these documents, 600 contained over 2 000 names of people whose personal information was either exposed through their SSC registration forms, or contract termination forms.

Most of the documents show that the exposed registration forms and termination letters were submitted between 2013 and 2018.

Given that only viewed a portion of the data, the number of people affected could be well over 2 000.

Milton Shaanika-Louw, who alerted The Namibian to the leak yesterday, said the SSC was slow in addressing the breach because he had reported the matter to the parastatal last week, but nothing had been done.

Shaanika-Louw, who is a consumer activist, said sensitive information of unsuspecting people, such as ID card numbers, could be stolen and used in committing fraud and other crimes.

He said identity theft was as easy as opening an account at a furniture store by using another person’s identity details.

The news about the leak comes after Confidénte reported last week about a syndicate selling national documents to foreign nationals.

According to the newspaper, there was a group of people who obtained identification papers of dead Namibians to use in getting birth certificates for foreigners.

The leak also provided an insight into salary particulars of SSC clients, including how lowly paid some workers are.

For instance, most of the farm workers registered with the SSC earned between N$1 250 and N$2 000 per month, while a gardener earns N$2 200 per month on average.

A trainee teacher at Keetmanshoop earned about N$1 000 per month. Some of the top paying jobs listed in the data included an asset manager who earned N$100 000 per month as of January 2017.

SSC chief executive officer Milka Mungunda said she had only been made aware of the data leak through that was seeking information for the story yesterday.

The link to the SSC leak had been removed from the website by around 16h00 yesterday afternoon. It is, however, not clear how many people might have had access to the data before the link was de-activated.

Mungunda yesterday said the company was not aware of the breach caused by a webpage they outsourced.

“Drastic measures to remove all the SSC files have been taken. No submissions through the website will be done until further notice,” she said.

Mungunda also said internal investigations would be done to secure the website and client data.

In an advertisement today, the SSC urged employers not to register online because of the leak.

A report found on the International Telecommunications Union (ITU) website, a specialised United Nations agency responsible for issues concerning information and communication technology, made several suggestions.

The report, produced by former ITU legal expert on data protection, Pria Chetty recommended that the government introduces a data protection policy to ensure that personal information is used fairly and lawfully, handled according to privacy and data protection rights, retained securely, with the integrity intact, and not transferred outside of the country without proper protection.

In an age of information overload, Sunrise is The Namibian’s morning briefing, delivered at 6h00 from Monday to Friday. It offers a curated rundown of the most important stories from the past 24 hours – occasionally with a light, witty touch. It’s an essential way to stay informed. Subscribe and join our newsletter community.