On 19 August 2020, Experian South Africa was publicly reported to have experienced a data breach. This was first made public by the South African Banking Risk Information Center (SABRIC). Experian would only, reluctantly, issue their statement saying they curtailed a data incident.
Throughout the Experian Data Breach saga, we at iAfrikan have raised some questions given how the order of events appeared to be missing some details. We have also question Experian's delay in reporting the incident and the people involved.
After investigations and a tip-off, we can confirm that the alleged Experian database as mentioned to be part of the data breach, is available on the web on publicly viewable websites and forums. After several hours of communication with Experian, the company finally sent a statement to iAfrikan stating that it believes to have "identified files which we believe contain Experian data relating to the incident on the internet."
"Experian continues to investigate the isolated incident in South Africa involving a fraudulent data inquiry. As a part of this investigation, we have identified files that we believe contain Experian data relating to the incident on the internet. We continue to investigate these files and will take all steps available to us to reduce further dissemination if possible. We can confirm that a criminal case was opened last week in South Africa and the matter is now in the hands of law enforcement. " reads the statement.
What does the database contain?
Throughout the Experian Data Breach ordeal, the credit bureau has maintained that "no sensitive consumer credit or financial information was obtained by the fraudster in this incident." The phrase has also been repeated by Experian in the above statement.
However, we can confirm that this is not entirely true as a further investigation between iAfrikan and Australian security researcher, Troy Hunt, founder of haveibeenpwned, has revealed.
There are two sets of data contained in the leaked database. The first set contains what appears to be data on about 24 million South Africans in separate files. The columns in each file are as follows:
RSAID
Forename1
surname
CS_File_number
CS_CST_HomeAffairsRSAIDVerf
CS_CELL_PHONE_1
CS_CELL_PHONE_2
CS_CELL_PHONE_3
CS_HOME_PHONE_1
CS_HOME_PHONE_2
CS_HOME_PHONE_3
CS_OTHER_PHONE_1
CS_OTHER_PHONE_2
CS_OTHER_PHONE_3
CS_WORK_PHONE_1
CS_WORK_PHONE_2
CS_WORK_PHONE_3
CS_EMAIL
CS_EMAIL_RANK
CS_Employer
CS_OCCUPATION
CS_Date
CS_EMP1_EMP_NAME
CS_EMP1_DATE_CREATED
CS_EMP1_OCCUPATION
CS_EMP2_EMP_NAME
CS_EMP2_DATE_CREATED
CS_EMP2_OCCUPATION
CS_EMP3_EMP_NAME
CS_EMP3_DATE_CREATED
CS_EMP3_OCCUPATION
CS_Address1_Line_1
CS_Address1_Line_2
CS_Address1_Line_3
CS_Address1_Line_4
CS_Address1_Town
CS_Address1_PostCode
CS_Address1_Province
CS_Address1_Update_Date
CS_Address2_Line_1
CS_Address2_Line_2
CS_Address2_Line_3
CS_Address2_Line_4
CS_Address2_Town
CS_Address2_PostCode
CS_Address2_Province
CS_Address2_Update_Date
CS_Address3_Line_1
CS_Address3_Line_2
CS_Address3_Line_3
CS_Address3_Line_4
CS_Address3_Town
CS_Address3_PostCode
CS_Address3_Province
CS_Address3_Update_Date
As you can see above, this is more than just contact details as Experian's CEO, Ferdie Pieterse, had previously told iAfrikan. It is exactly the type of information that can be used to carry out identity theft and to facilitate financial transactions impersonating another person.
However, the more worrying set of data is the company data. This contains exactly the information that Pieterse and Experian have said it doesn't contain: credit or financial information.
Kim#
Debtor Name
Vat Matched Flag
Legal Name
Alt Name Type
Alt Name
Name Change Type
Changed Name Entity
Company Status
Reg Number
Report Date
Enquiry Amount
Enquiry Terms
Bank Code
Bank Code Date Sicc Source
Sicc
Sicc Description
Employees
Holding Company
Turnover Range
Import/Export
Fleet
Score
Score Comment
Judgements
R/D Cheques
Adverse References
Telephone
Postal Address
Street Address
Province
Principals
Branches
Liquidation
Premises
VAT Number
Ultimate Holding Company
Last JU Date
Auditor Fax
E-mail
Bankers Account#
Branch
BEE
NCA
Experian have continuously tried to downplay this data breach and it is important to highlight that before contacted by iAfrikan earlier today, the company had maintained a PR stance that it had the situation under control and that "the data was seized and deleted."
As we have previously stated and now demonstrated, this is not true as the incident took place in May 2020 and Experian only discovered it in July 2020 before reporting it to the Information Regulator in August 2020.
Investigations into Experian incident continue
At the time of publishing, at least one copy of the data was still publicly available on the web for anyone with the link to download, a worrying matter which we also raised with the Information Regulator earlier on 1 September 2020.
Furthermore, iAfrikan has been made aware that how Experian transferred the data to the suspect was not secure at all as current investigations seem to suggest that Experian sent the link to download the data to the suspect's Gmail address. This is contrary to what Experian had previously said that it transferred the data securely.
As investigations continue, it is important to highlight that this is unlikely a data breach as it appears, so far, that a prior relationship existed between Experian and the suspects, however, this is a matter the courts will have to decide on.
What is important as we highlighted in this episode of the Tech Legal Matters podcast is that people in South Africa remain vigilant to any suspicious financial information requests and suspicious e-mails and texts.
Subcribe to our Daily Brief newsletter
Insights and analysis into how business and technology impact Africa. We promise to leave you smarter and asking the right questions every time after you read it. Sent out every Monday to Friday.
Recommended
Press Release: Experian Data Breach by SABRIC
Article: Experian has experienced an alleged data breach affecting millions by iAfrikan.com
Article: Ferdie Pieterse, CEO at Experian South Africa, answers questions on data breach by iAfrikan.com
Interview: Information Regulator of South Africa shares information on Experian data breach by iAfrikan.com
Podcast: Everything you need to know about the Experian Data Breach
Article: Suspect in Experian Data Breach saga denies receiving any data
Share this via: