Mauritius introduced Data Protection legislation in 2017. One of the objectives of the legislation was to strengthen the control and personal autonomy of data subjects over their personal data.
A security researcher disclosed that there was an unsecured database exposing 589,000 customer records on 1 September. I sent a request to the security researcher on 4 September to attempt to confirm the accuracy of the information. I unfortunately did not receive any reply.
I informed the data controller that there was a report on LinkedIn about a data breach. I tried to find out whether any of the subscriber data types mentioned in the report were shared with third-parties, and whether any of the third-parties reported a breach.
There was a news report on 15 September about 589,697 records which were hosted within the 95/8 network. It was stated that: Out of a sample of 19 people called, six positively confirmed the data, five did not answer, five numbers were unreachable (phone switched off), one caller did not wish to answer and two corresponded to suspended lines, in accordance with the information appearing in the dataset.
I visited the website of the company after that. The latest communication to its customers was dated 3 September. There wasn't any information relating to a data breach.
I contacted the Data Protection Office on 24 September and informed it about the report of a data breach. I explained that I contacted the company but I did not receive any reply from its data protection officer. I received a reply from the Data Protection Officer/Senior Data Protection Officer (Data Protection Office) informing me that the Office has opened an enquiry into the alleged data breach
.
I received a reply from the company on 2 October.
The company took 27 days to respond to a request for information about a data breach claim. The IP address range on which the unsecured database was running is not allocated to a company in Mauritius. A rational explanation is that the unsecured database is operated by a third-party. The company did not provide any information about whether any personal data is processed by third-parties. It is not possible for a person to have much control over his/her personal data if the person is not informed about the third-parties with whom the personal data is shared.
There was a news report about a data breach. However, there isn't any public information about an enquiry into the alleged data breach. The lack of information does not foster public confidence.
Let's assume that a company makes it mandatory for its customers to join a social network to receive its official communication. Such a requirement would give a customer less control over his/her personal data. Furthermore, a customer would have less recourse, if any, if the social network was impacted by a data breach.
I would like to thank the reporter for confirming the methodology which was described in the news report. I would also like to thank the person who provided some details about the MongoDB database.
.1. "Unsecured Database Exposes 589,000 Telecom Customer Records in Mauritius", September 2025
2.
"Données confidentielles de clients de MT exposées", lexpress.mu, September 2025
3. The news report was written in French. It was translated from French to English.