Personal Data Of 24 Million South Africans Exposed By Experian Breach

The South African branch of credit agency Experian has been compromised by a fraudster pretending to be a client, which has compromised the data of millions of South Africans.

According to Business Insider South Africa, this incident is one of largest ever data breaches in the country.

It is reported that the personal financial data of of as many as 24 million South Africans, and nearly 800,000 business have been compromised.

South African breach

Experian South Africa issued a statement, which it labelled as an “isolated incident,” and did not disclose the sheer scale of the breach or the numbers of customers impacted.

“Experian South Africa is continuing to investigate an isolated incident in South Africa involving a fraudulent data inquiry,” it said. “Our investigations indicate that an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian. The services involved the release of information which is provided in the ordinary course of business or which is publicly available.”

“We can confirm that no consumer credit or consumer financial information was obtained,” said the credit agency. “Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes. Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.”

And it seems that Experian South Africa has identified the suspect and managed to seize the “individual’s hardware”.

It also claimed that “the misappropriated data” has now been secured, but did not say if the data had been copied.

Experian South Africa said that when it discovered the incident, it notified the National Credit Regulator and the Information Regulator of the incident.

It stressed that Experian South Africa bureau’s infrastructure, systems and database have not been compromised.

“I would like to apologise for the inconvenience caused to any affected parties,” said Experian Africa CEO Ferdie Pieterse. “Our first priority is to help and support consumers and businesses in South Africa.”

“As a precaution we advise anyone who may have concerns to regularly check their credit report,” the firm said.

Swift action

The fact that Experian South Africa claims to have recovered the stolen data was noted by security professionals.

“It’s encouraging to see how quickly Experian made the breach public and informed the necessary authorities,” said Heino Gevers, cybersecurity expert at Mimecast.

“Judging by their statement, swift action was taken to impound the stolen data and delete it,” said Gevers. “Hopefully, their quick response means no copies were made, but irrespective banking customers should be on high alert for targeted phishing and impersonation attacks via email, SMS or phone call.”

“Banks will be contacting their customers about the breach, but it’s important for individuals to verify the legitimacy of every piece of communication they receive,” said Gevers. “Do not click on links and do not hand over personal information over the phone or via electronic communication. Rather go directly to the bank’s website.”

“It’s easy for criminals to register lookalike domains and launch sophisticated attacks impersonating trusted brands that are nearly indistinguishable from the real thing,” cautioned Gevers.

“It’s become common for malicious actors to use our favourite brands and services to trick people into handing over money or sensitive information,” he warned. “Individuals should therefore remain cyber aware at all times, irrespective of whether the information of this particular breach remains in the wrong hands at this time.”

Previous breaches

This is not the first time Experian has suffered a data breach.

In 2011 and 2012, Experian suffered a breach when hackers compromised an employee system at Abilene Telco Federal Credit Union, and took the bank’s password for its Experian account.

The hackers then used that access to steal credit reports on 847 people, but also managed to steal a host of data, including financial information and social security numbers, on other people across the US.

It was claimed Experian had its database breached 80 times in this single breach, with almost 15,500 credit reports pilfered.

Then in 2015 the boss of T-Mobile in the United States angrily hit out at Experian after it was notified that the credit agency had uncovered a hack that compromised the personal details of 15 million of its US customers.