A data leak exposed more than 30 million unique personal records of South Africans following an alleged breach that took place around May 2017, according to an investigation by security researcher Troy Hunt.

Hunt received a 27GB file that, he believes, “is definitely floating around between traders.” Based on the headers published on Pastebin, the Leaked data includes unique ID numbers, marital status, employment history, property ownership, income and company dictatorships, and other information from as early as the 90s. Some of the data belongs to people who are now deceased.

A further investigation was carried out by iAfrikan, who found that the database was publicly available on the internet, even after the leak was detected. iAfrikan looked into the possible companies that may have been breached.

An investigation of South Africa’s largest credit bureau, TransUnion, led to data aggregator Dracore Data Sciences, a client of TransUnion. The search went deeper into their GoVault platform, whose domain was registered to Jigsaw Holdings (Pty) Ltd, affiliated to the Dracore business. The company may have been breached or leaked the data without knowing, the article suggests.

In an interview with Troy Hunt, the researcher says Dracore Data Sciences may have collected a lot of data without user consent, which they published to an unsecured web server.

“This, however, does not necessarily mean they were responsible for the site where the leaked records were found,” concludes iAfrikan.