Ultrasonic Acoustic Attack
(Image Source: Stock Image)

Exposed: South African Government Website Published Personal Data of its Lawmakers

An extensive analysis has uncovered that members of the South African parliament have had their personal contact information, including emails and phone numbers, publicly listed on the parliament’s official website.

This exposure has inadvertently created significant operational security vulnerabilities, potentially leaving these lawmakers open to espionage attempts, targeted influence campaigns, and other malicious activities by hostile actors.

Detailed in “Operational Security: Failure Within the South African Government,” published by OSINT.Industries, the document highlights how the public listing of legislators’ personal emails and phone numbers, rather than using official @parliament.gov.za addresses, has enabled the creation of comprehensive digital footprints through open-source intelligence (OSINT) tools.

According to the findings, parliamentarians have left a trail of over 1,500 public Google reviews across the globe since 2015, revealing intimate details about their travel patterns, dining preferences, medical treatments, and more. This information, combined with data from fitness apps like Strava, which leaks real-time GPS locations and historic running/cycling routes, has painted an alarmingly detailed picture of the legislators’ personal lives.

“There are not many countries in the world that list personal emails of members of parliament on the public website,” explained Nathaniel Fried, the CEO of OSINT.Industries in a direct message to The Debrief. “When I first saw it on the South African government, I was horrified.”

OSINT.Industries is a real-time open-source intelligence platform designed to speed up and automate the work of OSINT analysts. Founded by a team of tool developers whose pedigree includes popular intelligence tools like GHunt and Holehe, the company aims to make OSINT investigations more efficient.

“We give it for free to nonprofits and journalists investigating child exploitation, human trafficking and more,” Fried says. “Our mission is to simplify and speed up OSINT investigations to help investigators and law enforcement agencies in making the world a better place.”

The document highlights specific instances where this exposure could be exploited by malicious actors. For example, reviews left at medical facilities could disclose sensitive information about treatments undergone by legislators or their families, potentially enabling infiltration by hostile agents.

Furthermore, publicly reviewing hotels, nightclubs, and tourist destinations during foreign travel, especially to nations with ambiguous security controls, provides ample information for foreign intelligence agencies to conduct influence operations.

Utilizing their tool, OSINT.Industries’ analysts took the roughly 600 emails published on the parliament.gov.za website and found several thousand profiles being used on both @parliment.gov.za and personal email addresses.

From social media profiles and Spotify playlists to Goodreads and fitness apps to multiple accounts on various pornographic media sites like Pornhub and Xvideos, the South African parliament website is a massive operational security nightmare.

South Africa
A screenshot of the popular websites that host accounts attached to the emails on the parliament’s website. (Image: OSINT.Industries)

The exposure makes parliament members vulnerable to espionage, targeted influence campaigns, and spying activities by hostile actors, the document explains. Families, travel patterns, personal lifestyles, and other sensitive information are exposed through public reviews, fitness app data, and online accounts.

“When people use services, they are used to the risk of their data being leaked in a data breach, and are aware of the downside of spam calls/phishing attempts, etc. I’ve done a lot of work in that space, particularly around child data rights,” Fried told The Debrief. “What people do not realize is that the information you willingly share publicly can, in some cases, be massive and, if you’re a public figure, trivially easy to weaponize against you.” 

In light of these findings, the document urgently recommends a series of actions to mitigate the operational security risks faced by South African parliamentarians. It suggests that all members immediately transition to using an official government email to contain and reduce the spread of personal data.

The government must complete a comprehensive audit and remove current personal email and phone number listings from public domains, and provide mandatory operational security training for all parliament members and associated staff, focusing on the risks of sharing personal information online.

“South Africa should have a digital hygiene policy,” Fried explained, stating that parliamentarians should know what information they are sharing, and then maintain a proper divide between their digital work and their personal lives. 

As the South African government grapples with this operational security failure, the need for robust data protection measures and stringent privacy protocols has become increasingly apparent. The exposure of personal information, once thought innocuous, has highlighted the vulnerabilities faced by public officials in the digital age.

The Debrief reached out to representatives in the South African Parliament, but they did not respond to requests for comment as of the time of publication.

The report published by OSINT.Industries can be found here.

MJ Banias is a journalist who covers security and technology. You can find his work here. He co-hosts The Debrief Weekly Report. and you can email MJ at mj@thedebrief.org or follow him on Twitter @mjbanias.