Government Dumps Sensitive Employee Information On The Internet ZEC Style

Tinashe Nyahasha

9 April 2020

Respect for data privacy and internet security is not well understood in Zimbabwe. The government is a major culprit in this crime of ignorance. Two years ago, the voter’s roll was accessed by some unscrupulous folks who just dumped the whole darn thing on the internet full of our names, ID numbers and residential addresses.

Since then the voters’ roll is being used in an unintended way by some businesses including several banks which we will not name. They are using it to do KYC verification et al. However, when we registered as voters we never signed up for that data to be used in that way let alone by private corporations.

Yes, it wasn’t the Zimbabwe Electoral Commission nor the government that uploaded the roll onto the internet (at least we don’t think so) but ultimately it was their responsibility to ensure whoever was entitled to a copy of the document treated that data with absolute integrity and they should have investigated the breach. It doesn’t seem they investigated anything. That’s because appreciation for these issues is quite low.

Now the government has exposed its employees

We will of course not share a link! However, we can explicitly say that the Public Service Commission, the ’employer of all government workers (civil servants),’ has exposed sensitive data of their employees on the internet.

This information is in a PDF document titled:

MEMBERS ON THE SSB PAYROLL WITHOUT BIOMETRIC DATA

This is a 223 paged document with lists of civil servants showing their full names, their employment ID numbers, national ID numbers and where they work (the specific institution and district). This is gold mine information for all sorts of scammers and phishers.

Here is what the lists look like:

The irony

This document is a record of employees who for some reason have not yet had their biometric information entered into the government’s new database for such. If they don’t respect the integrity of personal information like this, should they be trusted with even more personal data: biometric data?

How did we come to know this?

We were doing a Google search on some individual we were interested in. One click led to another and viola!

To be honest, it wan’t one click leading to another, it was easier than that.

Cybersecurity bill is in the works

The Parliament of Zimbabwe is currently working on a Cybersecurity and Data Privacy bill. When the bill gets into law, the government will probably be found to be the biggest violator of the law.

Of course the disappointment about the whole bill is that senior government officers only ever bring it up in connection with nuzzling social media. The bigger problem is throwing people’s personal information all over the internet like this

Security

17 comments

What’s your take?

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Imi Vanhu Musadaro

9 April 2020 15:27

The responsible thing would be to inform the PSC about this information leak, before publicising it. It doesn’t take 30 seconds to find the document, via Google, so it doesn’t help to give a shallow indemnification that you didn’t put up a link.

It’s easy to call out government for being irresponsible with private information, but so have you.

Reply
1. Tinashe Nyahasha
  
  9 April 2020 15:32
  
  Did you get it in 30 seconds?
  
  Reply
  1. Phidza
    
    9 April 2020 15:52
    
    I got it in 30 secs, I just googled “health matabeleland south prov” with the quotes to limit results and only one link came up.
    
    Reply
  2. Imi Vanhu Musadaro
    
    9 April 2020 19:57
    
    Less than 30 seconds, as a matter of fact.
    
    Sadly, that was the only thing to took away from my comment. 🤦🏾‍♂️
    
    Reply
    1. Tinashe Nyahasha
      
      9 April 2020 20:21
      
      Actually it wasn’t. I was just curious. I got your point the first time. I had considered the implications at first before writing and convinced myself (maybe wrongly) that no one at PSC would listen but they may be forced if someone else they trust comes across this article explains to them what they should do.
      
      It’s not always easy to make the right call on these things, I will admit that
      
      Reply
Tawanda

9 April 2020 20:20

This is irresponsible journalism, shows you are an amateur and you should be help responsible for any abuse of peoples details from this document. Techzim where do you get people like this?

Reply
1. Tinashe Nyahasha
  
  9 April 2020 20:25
  
  Do you remember the picture of a woman lying in the streets after being beaten up by the police after elections in 2018 and there were scores of journalists surrounding her and taking pictures?
  
  Or the one of a small hungry child crawling to a feeding station at a refugee camp whilst a vulture was falling at a short distance waiting for the child to die?
  
  Responsible journalism is not what you think it is.
  
  But perhaps I failed to be a responsible citizen. I can accept that one
  
  Reply
2. fiend
  
  11 April 2020 10:40
  
  Who says they’re journalists?
  
  There’s a general standard of disclosure of such things within IT.
  
  TechZim bloggers failed to follow it and did not give the affected party a chance to rectify it. Just for the sake of pushing articlrs.
  
  You don’t even have ethics.
  
  Reply
jon snow

9 April 2020 22:06

if you look at the site im sure we can see that this was intentionally published, i see no need to bash techzim here, go talk to psc.

Reply
Rational Ear

10 April 2020 07:54

This is exactly how Zimbabweans fail. An issue has been raised/reported. Instead of addressing the issue at hand, we cowardly waste time bashing the person who reported the issue until the whole thing is overtaken by time and other events. Eyes on the pie people, eyes on the pie. Don’t be distracted!

Reply
1. Phidza
  
  10 April 2020 08:28
  
  How do we address the issue at hand? What have you done to address the issue?
  
  Reply
Tawanda Kembo

10 April 2020 08:34

This is irresponsible disclosure. You should have only disclosed this after the data was removed from the web. I suggest you remove this article and put it back online after the government has removed the data from their website.
This is not right.

Reply
jon snow

10 April 2020 13:53

The problem is we have a lot of CEHs😂😂😂😂, go tell psc that they disclosed personal info, and then come back here so we can talk about “ethics”

Reply
Jay S

10 April 2020 14:22

Central Computing Services, temperature bho here? How many IT degrees are employed to stop this happening? I’m waiting to hear of heads rolling internally for incompetence. Someone has to go home for this.

Reply
Grammar Enthusiast

10 April 2020 20:38

The “typo” you point out not actually an error.
The payroll is a list, so the members are ‘on’ it, not “of” it.

Reply
1. Tinashe Nyahasha
  
  10 April 2020 20:56
  
  You are right!
  Thanks
  
  Reply
Anonymous

11 April 2020 05:46

Journalism is not about reporting to authorities that e.g. sewage is flowing in the river. Rather it is reporting it as a story in the media. A journalist must give out news and information.

I dare anyone to actually take the time to call or goto PSC to report the matter. Countless hours trying to tell them that the problem is that private information is online. They will only see the problem after a senior executive says it is a problem and not a lay man from the streets.

Reply

Connect with us

Home