Who sold my phone number?

2026-03-27 - 09:30

One of the most persistent irritations for many South Africans is the volume of unsolicited marketing calls. Last year, the problem escalated to the point where I was receiving, on average, three to four such calls a day. On one particularly bad day, that number reached eight. As a journalist, I also receive a significant number of legitimate calls from the Moneyweb community, many of which appear only as unfamiliar numbers. This makes it difficult to screen calls and avoid unsolicited contact. Source for personal contact details The eight-calls-day prompted me to investigate where my personal contact details were being sourced. I began with a series of online searches and was struck by how widely my information was available on the internet. My contact details were publicly available on a number of international database platforms, including ContactOut, Datanyze, FlashIntel, PIPL and RocketReach. These platforms market access to such information to companies for use in sales prospecting and direct marketing campaigns. They also boast about the scale and depth of their databases as part of their offering. Personal information made public Across these platforms, a significant amount of personal information about me was listed. This included standard details such as my name, phone number, email address and professional designation. However, in aggregate, the platforms also reflected more extensive information, including my date of birth, academic qualifications, stated interests and a personal email address that I have deliberately tried to keep out of the public domain. I engaged with these platforms, and each provided links allowing me to “opt out” and request the deletion of my details from their databases. Giving out details In some cases, they also indicated that such requests would be passed on to third parties to whom the data had been supplied. They did not disclose the identity of these third parties. Some platforms further disclosed the sources from which the information was obtained. These extended well beyond social media sites such as LinkedIn and Facebook and, in certain instances, included references to “mobile directories” and other unnamed online repositories. Several also indicated that they do not consider themselves bound by the Protection of Personal Information Act (Popia), as they are based outside South Africa. I opted out of these services. Within a few days, the volume of unsolicited calls began to decline, and within a few weeks, they had stopped altogether. At the time, I was particularly concerned about the extent of information held by RocketReach and lodged a formal complaint with The Information Regulator (South Africa). The regulator’s investigation took several months. In its response, it indicated that it would not take further action in this instance, noting that I had requested the removal of my personal information and that the calls had ceased. The case was closed, and the matter was not pursued further. Oracle Broker Services This changed in February this year, when the unsolicited calls resumed. I decided to use the next unsolicited call to establish where my details were being sourced from. The first such call came from an agent representing Oracle Broker Services, a Johannesburg-based insurance broker. The agent had my phone number and addressed me by name. I identified myself as a journalist and asked where she had obtained my personal information. She only replied that it came from a “referral list”. I was able to identify the company through the phone number and subsequently engaged with its managing director, Mark Eliason. He initially apologised but declined to disclose the source of the lead containing my information. He did, however, state that the data had been obtained from a “Popia-compliant” supplier. Sourced from publicly available material Following several exchanges, Eliason eventually disclosed that Oracle Broker Services had sourced the information from Prescon List Management, a business with a limited online presence. I sent a series of questions to a representative and was subsequently contacted by Tony Sham of Research Associates, who said he works with Prescon. Sham stated that my information had been sourced from publicly available online material. He added that a “rogue researcher” had placed an “incorrect marker” on the database indicating that I had given consent to be contacted. He acknowledged that this was incorrect and apologised for the error. Specific document Sham further indicated that my information had been sourced from a PDF document published on the property group Accelerate’s website in 2019. At the time, I had engaged with the company as part of a separate investigation, and the document – which included my questions and the company’s responses – was made available to its stakeholders. My contact details appeared in that document, and I had no objection to its publication in that context. However, I never thought in my wildest dreams that it would be extracted, stored in a database and subsequently sold to third parties for use in unsolicited marketing calls. Sham said the information had been in the database since 2019. He added: “We understand that if you had the record on the database before a certain date, you were able to keep it. The law is not clear. But we remove anybody who asks to be removed. We don’t argue.” He also indicated that the Prescon database had not been compared with the Direct Marketing Association’s opt-out database, in which I have previously registered. I submitted questions to the association, but did not receive a response. Information regulator The Information Regulator was more forthcoming in its responses, confirming that unsolicited electronic communications for direct marketing purposes require prior consent, and that companies must be transparent about how personal information is obtained and used. It further noted that where information is sourced from a third party, such as Prescon, the company making the call must disclose where it obtained the data, and therefore cannot shift responsibility for compliance to its supplier. The regulator added that individuals are entitled to know how their personal information is used and shared with third parties. However, it declined to express a view on whether this specific case constituted a contravention of Popia, citing the need to maintain impartiality should a formal complaint be lodged. Is Popia worth the paper it is written on? Based on this experience, Popia appears to be a well-intentioned piece of legislation, but one that is difficult to enforce in practice. In this case, the data was removed once I identified the source and requested deletion. That, however, required a detailed investigation, which few people have the time or resources for. In many instances, it is not clear which database holds the information, and attempts to establish the source are often met with resistance, or the call simply ends when the question is asked. While some operators may comply when challenged, the practical burden remains on the individual to trace and stop the abuse of their personal information. It may also reflect capacity constraints. In its 2025 annual report, the Information Regulator states that its total budget was R111 million, of which R81.5 million was allocated to salaries, which it notes are “not competitive in the open market”. The system is designed to protect personal information, but in practice, it often responds only after that information has already been used. In many cases, individuals must first identify the source of the breach and take action themselves before any remedy follows. Until enforcement becomes more visible and consistent, the promise of Popia will continue to fall short of its intended protection. This article was republished from Moneyweb. Read the original here.