The South African subsidiary of Experian, an Irish-domiciled global consumer credit reporting company, has suffered a data breach which it is reported potentially exposes the personal data of 24 million South Africans. According to a statement by the South African Banking Risk Information Centre (SABRIC) the Experian data breach exposed the personal information of as many as 24 million South Africans and 793 749 businesses to a suspected fraudster.

Experian has also confirmed this, stating that their internal investigations revealed that an individual in South Africa, claiming to represent one of their clients, "fraudulently requested services from Experian."

"Experian has confirmed that the breach has been reported to law enforcement and the appropriate regulatory authorities. Banks have been working with Experian and South African Banking Risk Centre (SABRIC) to identify which of their customers may have been exposed to the breach and to protect their personal information, even as the investigation unfolds. Banks and SABRIC have also been cooperating with Experian in their efforts to secure the data and ensure the perpetrators are brought to book," reads a statement by Experian.

Contradictory statement by SABRIC and Experian

It doesn't appear that there is an agreement between SABRIC and Experian on what transpired at Experian.

According to SABRIC, Experian "experienced a breach of data." SABRIC further adds and confirms in their statement that the data breach experienced by Experian "exposed some personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster."

This sounds contradictory a statement released by Experian titled "Experian South Africa curtails data incident."

Statement by Experian South Africa on the "data incident."

Curiously, in the statement, Experian says that no consumer credit or consumer financial information was obtained.

"We can confirm that no consumer credit or consumer financial information was obtained. Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes. Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services."

This statement by Experian is difficult to prove given that it is the result of their internal investigation and not an investigation by the Information Regulator of South Africa. Added to that, given that South Africa's Protection Of Personal Information Act (POPIA) came into force on 1 July 2020, it is in Experian's, and any other organization that suffers a data breach in South Africa, to minimize the impact of an alleged data breach to avoid punishment and a fine from the Information Regulator.

It further highlights the need for the Information Regulator of South Africa to urgently start conducting independent investigations into data breaches so that consumers are aware of the risks they face and not rely on a statement and internal investigation by an organization.

South African banks go into crisis mode

As soon as it was reported by SABRIC and Experian that there was a potential data breach at the consumer credit reporting company, South African banks started issuing statements warning customers to be on the alert for identity theft and to report any suspicious activities on their accounts. This suggests, as sources close to iAfrikan have said, that there was potentially some personal and possibly financial data of consumers exposed in the data breach contrary to what Experian has said in their statement.

One such bank is South Africa's FNB. They have stated in their statement, without any ambiguity or equivocation that they were made aware that Experian experienced a data breach.

"FNB has been made aware that business and credit information services agency, Experian has experienced a data breach. We are working with The South African Banking Risk Information Centre (SABRIC), The Banking Association of South Africa (BASA), law enforcement and regulatory authorities to mitigate any potential risks on our customers as a result of the incident. Customers are advised to be extra vigilant and follow our recommended security precautions, which can be found on Security Centre on the FNB App and Online Banking," reads a statement by FNB South Africa.

Similarly, another South African bank, Standard Bank, has issued a statement to its customers about an Β "External credit bureau data breach."

"Standard Bank can confirm that it is aware that Experian South Africa is investigating an external credit bureau incident in which some of our client demographic information was fraudulently provided to a third party posing as a legitimate client of Experian (the credit bureau). We are working closely with Experian, the South African Banking Risk Information Centre (SABRIC), the Banking Association of South Africa (BASA) and the Southern African Fraud Prevention Service (SAFPS) to give this investigation the support and urgency it deserves."

Both banks, in a signal to highlight the possible severity of the data breach, have gone on to advise customers to be vigilant and take extra measures to secure their financial information and change their login credentials. Furthermore, they have said that they are taking extra measures to secure their systems.

Second largest data breach South Africa has experienced

The data breach experienced by Experian is the second largest one that is publicly known.

Previously, a data breach including approximately 60 million unique personal records of South Africans was exposed in a data breach on a database that was left on a publicly accessible web server. The database contained information ranging from ID number, marital status, income, company directorships held (and previously held), employment details as well as property ownership information. It is also contained the data for both deceased and alive people in South Africa.

There has been a marked increase in cybersecurity attacks and data breaches on South African organizations. This is the second reported data breach experienced by a South African organization during August 2020. Earlier this week, Momentum Metropolitan reported that it suffered a cyber attack. Similar to Experian, in the absence of an independent investigation, the company minimized the effects of the attack saying that no customer information was accessed.

During June 2020, another South African organization listed on the JSE, Life Healthcare Group, reported that its IT systems suffered "a targeted criminal attack." At the time, the company which operates private hospitals in South Africa and Botswana said that the attack affected its hospital admissions systems, business processing systems, and e-mail servers.

Other notable incidents include Liberty Group in 2018 suffering a data breach in which the hackers demanded money in return for not releasing what they claimed was 40 TB worth of data they managed to access on Liberty's systems. While on the other hand, City Power Johannesburg suffered a ransomware attack during 2019 in which the criminals demanded payment in Bitcoin before bringing the power utilities IT systems and network back up.

At the time, given that POPIA was not enforceable, none of these data breaches could be investigated. This could still be the case given that, despite coming into force on 1 July 2020, the Information Regulator of South Africa has given organizations that handle data of people in South Africa 12 months to be compliant with the data protection Act.

Ongoing investigations

At the time of reporting Experian had said to iAfrikan that investigations are ongoing. Standard Bank and FNB South Africa could also not share any further information beyond what they said in their statements.

Experian says it has notified the National Credit Regulator and the Information Regulator of the "data incident." They added that they have also engaged with BASA (Business Association of South Africa), SABRIC, and the prudential authority at the SARB.

β€œI would like to apologise for the inconvenience caused to any affected parties. Our first priority is to help and support consumers and businesses in South Africa," said Ferdie Pieterse, CEO at Experian.

Curiously and ironically, Experian added that "Experian South Africa bureau’s infrastructure, systems, and database have not been compromised."

Subcribe to our Daily Brief newsletter
Insights and analysis into how business and technology impact Africa. We promise to leave you smarter and asking the right questions every time after you read it. Sent out every Monday to Friday.

Marketing permission: I give my consent to iAfrikan Media to be in touch with me via e-mail using the information I have provided in this form for the purpose of news, updates, and marketing.

What to expect: If you wish to withdraw your consent and stop hearing from us, simply click the unsubscribe link at the bottom of every email we send or contact us at [email protected] We value and respect your personal data and privacy. Do read our privacy policy. By submitting this form, you agree that we may process your information in accordance with these terms.

Recommended: Ferdie Pieterse, CEO at Experian South Africa, responds to questions regarding data breach

Ferdie Pieterse, CEO at Experian South Africa, answers iAfrikan's questions on the data breach the company suffered. Pieterse confirms they didn't detect that the person was impersonating a customer and they sent him the database. [Article]

Recommended: Information Regulator of South Africa shares information on Experian data breach

To get to the bottom of the events leading up to the public disclosure of the Experian South Africa data breach, iAfrikan spoke to the Office of the Information Regulator of South Africa. [Article]

Share this via: