During the evening of 19 August 2020 (South African time), it was revealed that Experian South Africa, a subsidiary of the global consumer credit reporting company, suffered a data breach affecting 24 million people and 700,000 businesses in South Africa.
Although Experian reported that it curtailed a data incident, South African banks issued statements saying it was a data breach.
This was further confirmed by South African Banking Risk Information Centre (SABRIC) in a statement saying that "has experienced a breach of data which has exposed some personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster."
To establish more details about the data breach and events leading up to it, iAfrikan asked Ferdie Pieterse, CEO at Experian South Africa, some questions. Despite the company trying to downplay the incident, and as confirmed by Pieterse, Experian failed to detect that the person was impersonating a customer and they further sent them the database.
Interview with Ferdie Pieterse, CEO at Experian South Africa, about the data breach
iAfrikan: Can we have some proof and indication of who this individual is to establish that it was not negligence or the company's fault?
Ferdie Pieterse, CEO at Experian South Africa: The investigation is in progress and the legal process needs to take its course before we can announce the identity of the fraudster.
Experian instituted an Anton Pillar application in the Gauteng High Court, which order was granted and executed against the suspect. An Anton Pillar is an extraordinary measure that allows an application, who has indicated that it has a prima facie case against the suspect, to take possession of hardware.
In Universal City Studios Inc. v Network Video (Pty) Ltd. In that case, the judge said that an Anton Pillar might be appropriate in a case "where the applicant can establish prima facie that he has a cause of action against the respondent which he intends to pursue, that the respondent has in his possession specific documents or things which constitute vital evidence in substantiation of the applicant's cause of action (but in respect of which the applicant can claim no real or personal right), that there is a real and well-founded apprehension that this evidence may be hidden or destroyed or in some manner spirited away by the time the case comes to trial, or at any rate to the stage of discovery, and the applicant asks the Court to make an order designed to preserve the evidence in some way."
Therefor (sic) it is not an order that is granted lightly. The onus is extremely high in order to be granted this relief.
How was the database transferred to the individual/company?
The Fraudster impersonated a director of a known company and preceded to procure services from Experian as a client. The data was shared with the purported client utilising Experian’s secure data transfer protocols.
Didn't Experian conduct any verification checks before sending this database?
Yes, Experian did follow its normal verification processes by requesting specific information on the Client and the Representative, which was then verified. The Purported Client was however impersonated and the verification checks did not identify the identity theft that took place on the side of the client and its Representative.
The access details were also shared with the client, however the fraudster managed to set up fraudulent client domains.
What verification checks does Experian have in place?
Experian has verification controls in place, which includes verification checks (ie confirming data received with CIPC). We are however enhancing our existing controls.
Subcribe to our Daily Brief newsletter
Insights and analysis into how business and technology impact Africa. We promise to leave you smarter and asking the right questions every time after you read it. Sent out every Monday to Friday.
The South African subsidiary of Experian, an Irish-domiciled global consumer credit reporting company, has suffered a data breach which it is reported potentially exposes the personal data of 24 million South Africans. [Article]
To get to the bottom of the events leading up to the public disclosure of the Experian South Africa data breach, iAfrikan spoke to the Office of the Information Regulator of South Africa. [Article]Share this via: