On 19 August 2020, Experian South Africa was publicly reported to have experienced a data breach. This was first made public by the South African Banking Risk Information Center (SABRIC). Experian would only, reluctantly, issue their statement saying they curtailed a data incident.

Throughout the Experian Data Breach saga, we at iAfrikan have raised some questions given how the order of events appeared to be missing some details. We have also question Experian's delay in reporting the incident and the people involved.

After investigations and a tip-off, we can confirm that the alleged Experian database as mentioned to be part of the data breach, is available on the web on publicly viewable websites and forums. After several hours of communication with Experian, the company finally sent a statement to iAfrikan stating that it believes to have "identified files which we believe contain Experian data relating to the incident on the internet."

"Experian continues to investigate the isolated incident in South Africa involving a fraudulent data inquiry. As a part of this investigation, we have identified files that we believe contain Experian data relating to the incident on the internet. We continue to investigate these files and will take all steps available to us to reduce further dissemination if possible. We can confirm that a criminal case was opened last week in South Africa and the matter is now in the hands of law enforcement. " reads the statement.

Statement Experian sent to iAfrikan after we posed several questions regarding the database we had discovered.

What does the database contain?

Throughout the Experian Data Breach ordeal, the credit bureau has maintained that "no sensitive consumer credit or financial information was obtained by the fraudster in this incident." The phrase has also been repeated by Experian in the above statement.

However, we can confirm that this is not entirely true as a further investigation between iAfrikan and Australian security researcher, Troy Hunt, founder of haveibeenpwned, has revealed.

There are two sets of data contained in the leaked database. The first set contains what appears to be data on about 24 million South Africans in separate files. The columns in each file are as follows:

RSAID
Forename1
surname
CS_File_number
CS_CST_HomeAffairsRSAIDVerf
CS_CELL_PHONE_1
CS_CELL_PHONE_2
CS_CELL_PHONE_3
CS_HOME_PHONE_1
CS_HOME_PHONE_2
CS_HOME_PHONE_3
CS_OTHER_PHONE_1
CS_OTHER_PHONE_2
CS_OTHER_PHONE_3
CS_WORK_PHONE_1
CS_WORK_PHONE_2
CS_WORK_PHONE_3
CS_EMAIL
CS_EMAIL_RANK
CS_Employer
CS_OCCUPATION
CS_Date
CS_EMP1_EMP_NAME
CS_EMP1_DATE_CREATED
CS_EMP1_OCCUPATION
CS_EMP2_EMP_NAME
CS_EMP2_DATE_CREATED
CS_EMP2_OCCUPATION
CS_EMP3_EMP_NAME
CS_EMP3_DATE_CREATED
CS_EMP3_OCCUPATION
CS_Address1_Line_1
CS_Address1_Line_2
CS_Address1_Line_3
CS_Address1_Line_4
CS_Address1_Town
CS_Address1_PostCode
CS_Address1_Province
CS_Address1_Update_Date
CS_Address2_Line_1
CS_Address2_Line_2
CS_Address2_Line_3
CS_Address2_Line_4
CS_Address2_Town
CS_Address2_PostCode
CS_Address2_Province
CS_Address2_Update_Date
CS_Address3_Line_1
CS_Address3_Line_2
CS_Address3_Line_3
CS_Address3_Line_4
CS_Address3_Town
CS_Address3_PostCode
CS_Address3_Province
CS_Address3_Update_Date
Column names of the dataset of 24 million people in South Africa as found in the leaked Experian database files.

As you can see above, this is more than just contact details as Experian's CEO, Ferdie Pieterse, had previously told iAfrikan. It is exactly the type of information that can be used to carry out identity theft and to facilitate financial transactions impersonating another person.

However, the more worrying set of data is the company data. This contains exactly the information that Pieterse and Experian have said it doesn't contain: credit or financial information. 

Kim#                    
Debtor Name
Vat Matched Flag
Legal Name
Alt Name Type
Alt Name
Name Change Type
Changed Name Entity
Company Status               
Reg Number      
Report Date                
Enquiry Amount               
Enquiry Terms   
Bank Code          
Bank Code Date Sicc Source         
Sicc         
Sicc Description         
Employees          
Holding Company            
Turnover Range 
Import/Export   
Fleet      
Score     
Score Comment            
Judgements       
R/D Cheques     
Adverse References        
Telephone          
Postal Address  
Street Address 
Province              
Principals             
Branches             
Liquidation          
Premises             
VAT Number      
Ultimate Holding Company            
Last JU Date       
Auditor Fax         
E-mail    
Bankers Account#             
Branch  
BEE         
NCA
Column names of the dataset of businesses in South Africa as found in the leaked Experian database files.

Experian have continuously tried to downplay this data breach and it is important to highlight that before contacted by iAfrikan earlier today, the company had maintained a PR stance that it had the situation under control and that "the data was seized and deleted."

As we have previously stated and now demonstrated, this is not true as the incident took place in May 2020 and Experian only discovered it in July 2020 before reporting it to the Information Regulator in August 2020.

Investigations into Experian incident continue

At the time of publishing, at least one copy of the data was still publicly available on the web for anyone with the link to download, a worrying matter which we also raised with the Information Regulator earlier on 1 September 2020.

Furthermore, iAfrikan has been made aware that how Experian transferred the data to the suspect was not secure at all as current investigations seem to suggest that Experian sent the link to download the data to the suspect's Gmail address. This is contrary to what Experian had previously said that it transferred the data securely.

As investigations continue, it is important to highlight that this is unlikely a data breach as it appears, so far, that a prior relationship existed between Experian and the suspects, however, this is a matter the courts will have to decide on.

What is important as we highlighted in this episode of the Tech Legal Matters podcast is that people in South Africa remain vigilant to any suspicious financial information requests and suspicious e-mails and texts.

Recommended

Press Release: Experian Data Breach by SABRIC

Article: Experian has experienced an alleged data breach affecting millions by iAfrikan.com

Article: Ferdie Pieterse, CEO at Experian South Africa, answers questions on data breach by iAfrikan.com

Interview: Information Regulator of South Africa shares information on Experian data breach by iAfrikan.com

Podcast: Everything you need to know about the Experian Data Breach

Article: Suspect in Experian Data Breach saga denies receiving any data

Share this via: