Data leak 'possibly started in 2015 already'
The personal records of just over 60 million South Africans could have been publicly available for download for the past two and a half years.
A web security expert who found the 'Master Deeds' file says both the file and web server are dated April 2015.
It contains sensitive information, including ID numbers, addresses and contact details.
Microsoft regional director in Australia, Troy Hunt, further confirms the information has been exposed, at least for the past seven months.
"So we know that at the very least it was exposed in March when someone sent it to me and it was still exposed yesterday (Tuesday)," Hunt told Jacaranda FM during a Skype interview.
He says the file was found on a "publicly accessible web server".
"It came from a location where the data was still exposed," he explains. "This was simply a web server facing the public web with no password, no authentication or password controls."
The 27 gigabyte file contains names, ethnicity, ID numbers and 2.2 million email addresses, among others.
Hunt was unable to comment on how many South Africans are exposed, but adds the data includes information of both living and deceased citizens.
"It's going to be very hard to tell exactly how many people are impacted, but it's pretty safe to say it's a significant portion of the population," adds Hunt.
-Who is responsible?-
Initially, suspicions were raised that the Gauteng based Dracore Data Sciences was responsible for the data leak.
But the company has since vociferously denied reports implicating it.
"Dracore has got no part in this data leak at all," its managing director Chantelle Fraser told Jacaranda FM News by telephone.
She says they instituted an internal investigation when they were informed of the data.
Dracore's technical manager Mark Nieuwoudt confirms their investigation found the data can be linked to real estate company Jigsaw Holdings.
Jacaranda FM News has so far not managed to get a response from Jigsaw.
Hunt says it's clear that no database was hacked.
"This was not a vulnerability in someone's software that was exploited or wasn't a weak password that someone tried to guess and force their way into a system," says Hunt.
He adds the company that owned the web server published the database itself.
Hunt has added the email addresses to his website haveibeenpwned.com where South Africans can submit their email to see if their information has been exposed.
However, Hunt explains there were only 2.2million email addresses exposed of the 60 million records.