On 19 August 2020 (South African time), Experian South Africa, a subsidiary of the global consumer credit reporting company, released a stated saying it "curtailed a data incident." This statement by Experian was only sent and published several hours after the South African Banking Risk Information Centre (SABRIC) released a media statement stating that Experian had suffered a data breach affecting 24 million people and 700,000 businesses in South Africa.

It was interesting to observe as SABRIC, and not Experian which experienced the data breach, was the first organization to go public on the incident. Added to that, there appeared to be a contradiction between the statements SABRIC, Standard Bank, and FNB South Africa, compared to the statement released by Experian. Not only that, there was also a contradiction in the Experian press release compared to what the company's CEO, Ferdie Pieterse, said to iAfrikan in an interview.

To get to the bottom of the events leading up to the public disclosure of the Experian South Africa data breach, iAfrikan spoke to the Office of the Information Regulator of South Africa. What the Information Regulator told us confirms what some sources who work in the risk divisions of some of South Africa's top banks told iAfrikan, i.e. Experian knew of the data breach several weeks ago and also had a meeting with all banks several weeks ago to tell them about the data breach.

What is not clear is why Experian took approximately a month to notify the Information Regulator of South Africa and waited only after SABRIC disclosed the data breach to release their statement which tried to downplay the data breach.

The Information Regulator has said that it will be investigating the data breach further.

Information Regulator of South Africa shares more information on the Experian data breach

Advocate Pansy Tlakula, Chairperson of the Information Regulator of South Africa.

iAfrikan: Was the Information Regulator made aware by Experian South Africa about this data breach before the company made a media statement?

Office of the Information Regulator of South Africa: On 6th August 2020 Experian, a credit bureau in South Africa sent an email to the Information Regulator (IR) and requested an urgent meeting to “discuss a matter”.

On 7th August 2020 the Regulator met with Experian where it was advised that a breach was experienced. The Regulator advised Experian to report the breach in accordance with Section 22 of POPIA. Experian then sent a report to the Regulator on 14th August 2020.

Did the company confirm it was a data breach and/or negligence on their part?

In the letter of the 14 August 2020 Experian advised the Regulator that they were a victim of a fraudulent misrepresentation that occurred in May 2020.

What is the protocol regarding notifying customers who might be affected by this data breach according to the Information Regulator, i.e. what is Experian’s obligation in notifying the potential 24 million people who might be at risk?

There is an obligation on the part of the responsible party (Experian) to notify the Regulator and the data subject, unless the identity of such data subject cannot be established, where there is a reasonable ground to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person

The notification must be made in writing and provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise,

Notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.

The responsible party must provide the data subject with a description of the possible consequences of the security compromise; outline measures that the responsible party intends to take or has taken to address the security compromise; make a recommendation as to how a data subject can mitigate the effect of the security compromise and disclose if the responsible party is aware of the identity of the unauthorised person who may have accessed or acquired the personal information.

The Regulator is not in possession of information.

Are credit bureaus legal under POPIA given that they aggregate personal data without consent and sell it?

Credit bureaus are legal entities and would be classified as a responsible party in terms of POPIA.   They are obliged to comply with the eight Conditions for lawful processing of personal information. Eg. Credit bureaus can only process personal information if consent from a data subject is obtained, if information is collected directly from the data subject and if such information is collected for a specific purpose.

The responsible party must secure the integrity and confidentiality of personal information in its possession or under its control. It must take reasonable, technical and organisational measures to prevent loss or damage or unlawful access to personal information in its possession and under its control.

Will the Information Regulator be taking any action against Experian?

Section 114(1) of POPIA states that all forms of processing of personal information must, within one year after the commencement of the section, be made to conform to the Act. This requires compliance with the Act by 1st July 2021.Due to the fact that the Act is not in full operation the enforcement powers of the Regulator cannot be exercised.

The Regulator will meet with Experian to clarify the circumstances around the incident and can recommend certain interventions to comply with generally accepted information security practices. The Regulator will require Experian to:

i)Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;

ii) Establish and maintain appropriate safeguards against the risk identified;

iii) Regularly verify that its safeguards are effectively implemented;

iv) Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards and

v) Have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and standards.

Experian will be further required to disclose the cause of the security data breach, furnish details of the investigation into the data security breach and advise on security measures that it has put in place to prevent a recurrence of such a data security breach.

Nothing prevents data subjects from exercising their contractual rights and pursuing a civil claim against the responsible party.

Is there anything else you'd like to share regarding this data breach?

The Regulator is aware that the breach was purportedly discovered on the 22nd July 2020. Yet, Experian approached the Regulator on the 6th August 2020 for a meeting.  The Regulator received a report from Experian on the 14th August 2020. POPIA is clear to state that notification must be made as soon as reasonably possible after the discovery of a compromise whilst considering the needs of law enforcement or any measures which may reasonably be required to determine the extent of the compromise.

Some jurisdictions require reporting without undue delay and requires that a breach be reported within 72 hours of discovery. (Article 33 of the General Data Protection Regulation).


Recommended: Experian has experienced an alleged data breach affecting millions

The South African subsidiary of Experian, an Irish-domiciled global consumer credit reporting company, has suffered a data breach which it is reported potentially exposes the personal data of 24 million South Africans. [Article]


Recommended: Ferdie Pieterse, CEO at Experian South Africa, responds to questions regarding data breach

Ferdie Pieterse, CEO at Experian South Africa, answers iAfrikan's questions on the data breach the company suffered. Pieterse confirms they didn't detect that the person was impersonating a customer and they sent him the database. [Article]


Share this via: