On 19 August 2020, Experian South Africa was publicly reported to have experienced a data breach. This was first made public by the South African Banking Risk Information Center (SABRIC). Experian would only, reluctantly, issue their statement saying they curtailed a data incident.
Throughout the Experian Data Breach saga, we at iAfrikan have raised some questions given how the order of events appeared to be missing some details. We have also question Experian's delay in reporting the incident and the people involved.
After investigations and a tip-off, we can confirm that the alleged Experian database as mentioned to be part of the data breach, is available on the web on publicly viewable websites and forums. After several hours of communication with Experian, the company finally sent a statement to iAfrikan stating that it believes to have "identified files which we believe contain Experian data relating to the incident on the internet."
"Experian continues to investigate the isolated incident in South Africa involving a fraudulent data inquiry. As a part of this investigation, we have identified files that we believe contain Experian data relating to the incident on the internet. We continue to investigate these files and will take all steps available to us to reduce further dissemination if possible. We can confirm that a criminal case was opened last week in South Africa and the matter is now in the hands of law enforcement. " reads the statement.
What does the database contain?
Throughout the Experian Data Breach ordeal, the credit bureau has maintained that "no sensitive consumer credit or financial information was obtained by the fraudster in this incident." The phrase has also been repeated by Experian in the above statement.
There are two sets of data contained in the leaked database. The first set contains what appears to be data on about 24 million South Africans in separate files. The columns in each file are as follows:
As you can see above, this is more than just contact details as Experian's CEO, Ferdie Pieterse, had previously told iAfrikan. It is exactly the type of information that can be used to carry out identity theft and to facilitate financial transactions impersonating another person.
However, the more worrying set of data is the company data. This contains exactly the information that Pieterse and Experian have said it doesn't contain: credit or financial information.
Experian have continuously tried to downplay this data breach and it is important to highlight that before contacted by iAfrikan earlier today, the company had maintained a PR stance that it had the situation under control and that "the data was seized and deleted."
As we have previously stated and now demonstrated, this is not true as the incident took place in May 2020 and Experian only discovered it in July 2020 before reporting it to the Information Regulator in August 2020.
Investigations into Experian incident continue
At the time of publishing, at least one copy of the data was still publicly available on the web for anyone with the link to download, a worrying matter which we also raised with the Information Regulator earlier on 1 September 2020.
Furthermore, iAfrikan has been made aware that how Experian transferred the data to the suspect was not secure at all as current investigations seem to suggest that Experian sent the link to download the data to the suspect's Gmail address. This is contrary to what Experian had previously said that it transferred the data securely.
As investigations continue, it is important to highlight that this is unlikely a data breach as it appears, so far, that a prior relationship existed between Experian and the suspects, however, this is a matter the courts will have to decide on.
What is important as we highlighted in this episode of the Tech Legal Matters podcast is that people in South Africa remain vigilant to any suspicious financial information requests and suspicious e-mails and texts.
Subcribe to our Daily Brief newsletter
Insights and analysis into how business and technology impact Africa. We promise to leave you smarter and asking the right questions every time after you read it. Sent out every Monday to Friday.
Press Release: Experian Data Breach by SABRIC
Article: Experian has experienced an alleged data breach affecting millions by iAfrikan.com
Article: Ferdie Pieterse, CEO at Experian South Africa, answers questions on data breach by iAfrikan.com
Interview: Information Regulator of South Africa shares information on Experian data breach by iAfrikan.com