“Truth is stranger than fiction, but it is because fiction is obliged to stick to possibilities; truth isn't," words that Mark Twain wrote in "Following the Equator: A Journey Around the World" that ring somewhat true if you have been following the Experian Data Breach story as it has been unfolding in South Africa since 19 August 2020. At first, we got to hear about the "data breach" from the South African Banking Risk Information Center (SABRIC).
A few hours later after SABRIC's statement, Experian issued their statement saying that they curtailed the "data incident" and further stated that it was a victim of someone "fraudulently requested services from Experian."
This is where it appears that the truth is stranger than what we could have imagined because the person Experian South Africa is accusing to be the alleged fraudster, Karabo Phungula, a Director at Hi-Pixel Communications, says that not only have they never received any data from Experian nor requested it, they have had a business relationship with Compuscan, a company Experian acquired in 2019.
"I have worked with Comspucan (not Experian) back in 2017, where the transaction went sour because because of payment dispute," said Karabo Phungula, Director at Hi-Pixel Communications in an interview with iAfrikan.
Phungula added that he has never had any dealings or contact with Compuscan or Experian since 2017.
"We had an agreement and they (Compuscan) sent me account login details where I upload ID numbers [South African Identity Numbers] to be submitted for contact update. I have never been a client to Experian."
Business dealings with Compuscan before it was acquired by Experian
This fact, that Phungula is known to some people at Experian through their acquisition of Compuscan, has also been confirmed to iAfrikan by Experian. Asked specifically about Phungula, a spokesperson from Experian global head office confirmed that:
"Experian has not had prior dealings with the Perpetrator [Phungula] however Experian acquired a business in 2019 (Compuscan) who had a once-off client-relationship with the Perpetrator in 2017. The Perpetrator contracted with Compuscan for services, however, failed to pay for the services due to a dispute regarding the services that were rendered. Access to the services was then immediately suspended, the relationship was terminated and a legal process commenced. To confirm there are no ongoing disputes with Phungula."
Compuscan was founded in 1994 as a credit bureau and information services company in South Africa. It marketed itself as a company that assists businesses to manage their credit risk, prevent fraud, target their marketing offers (e.g. lead generation), reward loyal customers, automate their decision-making and educate the workforce. Just like Experian that acquired it, Compuscan also provided individuals in South Africa with the ability to check their credit reports and scores, and "help them protect themselves against identity theft," ironically.
Sources, who contacted iAfrikan anonymously, with knowledge of the 2017 dispute between Compuscan and Phungula have alleged that the amount being mentioned as being in dispute by both Phungula and Compuscan (Experian) is approximately R4 million. This amount was for, among other services, Phungula apparently downloading 13 million personal data records from Compuscan's system as part of the agreement between Hi-Pixel and Compuscan at the time.
Fraudulent misrepresentation of a legitimate client
Given that both Phungula and Experian have confirmed that they have, through a previous business agreement with Compuscan, had business dealings and in fact know each other, we have to go back to something Ferdie Pieterse, CEO of Experian South Africa, said during mid-August 2020 in an interview with iAfrikan.
"The Fraudster impersonated a director of a known company and preceded to procure services from Experian as a client. The data was shared with the purported client utilizing Experian’s secure data transfer protocols," said Pieterse.
According to Phungula, this is not true.
"How can I fraudulently pretend to be a client of Compuscan when I submitted my genuine documentation?" said Phungula.
Phungula further added that he believes he is being attacked and possibly framed for "my previous dealings with Compuscan, which the deal did not go well as a result of payment disputed."
As Experian's spokesperson confirmed to iAfrikan that there are no ongoing disputes that they or Compuscan have with Phungula (except the ongoing incident revealed on 19 August 2020), what is interesting and curious is how Phungula says the payment dispute with Compuscan was resolved back then.
"I received an invoice from Compuscan in 2017 and the reason for the dispute was that they billed me for records I did not receive (their system did not pull ou the requested information which they wanted to bill me for). We then resorted and me making an affidavit under Oath and gave them a copy (and that was it between me and Compuscan), stating that I have no records of the data they are insisting on me to pay for," said Phungula.
South African consumer and business data
At this stage of this stranger than fiction story so far we have to ask ourselves as consumers: what about our privacy and identity theft risk?
I ask this because it appears so far, that all that Experian and Phungula are both only concerned about is the monies involved. In all my interviews with both parties, not once has the privacy of consumers been mentioned nor the risk of identity theft should the data fall into the wrong hands.
At first, Experian's Pieterse "assured" the South African public the had seized and deleted the data, only for us at iAfrikan to discover on the morning of 1 September 2020 a link on a publicly viewable website, thanks to another tip-off, that had all the records of 24 million South Africans as mentioned in the Experian Data Breach as well as approximately 700,000 thousand business records that included banking details.
When we approached Experian about this discovery, without any shame in reference to their previous public statements and interviews, they admitted that it was their data floating around the internet.
However, to reiterate, Experian appears not to be too concerned about the risks of this data now being publicly available, they appear to be more concerned about retrieving "financial damages" and "reputational damage" from Phungula.
This is somehow highlighted by the fact that Phungula says that, apart from his parents house being searched as part of the Anton Piller order Experian obtained against him, no police or law enforcement representatives have been in touch with him.
"They came to my parents house which is the address they have as my business registered address and requested all devices, I further went with the Sherrif to where I stay(different location) to take my computer so they can search for evidence, they further took my 2 phones with them in order to resumes with the search which happened the following day, because I they did not have sufficient resource on the day on the Anton Piller. I don’t know if they have a case against me or not." said Phungula.
However, Experian told iAfrikan they have opened a case against Phungula.
"We confirm that we have laid a criminal charge against the suspected perpetrator and that a case number and prosecutor has been assigned to the case."
Furthermore, Experian has said that, without being specific:
"We can confirm that data containing the keywords of the Anton Piller order was found on the hardware that was seized."
At the time of publishing and after trying to find the case number and prosecutor, we could not confirm either.
Two versions of what happened in May 2020
According to Experian, as they have mentioned several times, Phungula pretended to be a legitimate client in May 2020 when he requested both the consumer data and the business data. But who is this legitimate client?
According to sources and now having been confirmed by an Experian spokesperson, Phungula is alleged to have e-mailed (via GMail and later an alleged company e-mail address) pretending to be Tebogo Mogashoa, a Director of Talis Holdings. Talis Holdings owns the following companies according to its website:
- Tebfin - financial solutions.
- cloudseed - Internet Service Provider.
- Talis Fleet - fleet management and vehicle tracking services.
- Talis Property Fund - Property management, development and investment.
"[Tebogo] Mogashoa is a director of the impersonated company. The suspected Perpetrator [Phungula] impersonated Mogashoa. Mogashoa does not have an account with Experian. The suspect impersonated Mogashoa in the onboarding of a new client process," said an Experian spokesperson to iAfrikan.
This is where the truth becomes stranger than fiction because Pieterse (Experian's CEO) has repeatedly said that "an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian."
The distinction between onboarding a new client and a "legitimate client" is important. However, as mentioned, Phungula disputes this and says not only will he be challenging the Anton Piller order, but will also be taking legal action against Experian for, among others, damaging his reputation.
"I have never requested any data from Experian, I lost my laptop and Computer as well as 2 phones which could have possibly been somebody gaining access to my information," said Phungula.
As far as the link between him and Talis Holdings goes, Phungula added that:
"I received a call from a lady asking to speak to Tebogo I told her i told her don’t know Tebogo. I have no idea who Tebogo [is] and his company."
Although he couldn't supply the date of when his electronic devices went missing, Phungula sent iAfrikan the following screenshot purporting to indicate the "many unknown login attempts" to his Gmail account.
History repeating itself?
What is also again a concern, and should worry you as a consumer or business in South Africa (despite Experian's Pieterse saying the disclosure of the data breach was premature and causing unnecessary panic) is that none of us would have discovered all this were it not that, again like in 2017, an invoice was not paid.
In this case, it is alleged that it was sometime in July 2020 when some Experian staff were following up on a payment totalling R2,212,919.99 that alarm bells were raised and the matter escalated. The amount being payment requested for Experian supplying Talis Holdings (allegedly Phungula) with 24 million consumer records and approximately 700,000 business records with banking details.
This, in my humble opinion, is what should worry you as a consumer and business in South Africa. That, had payment been made, this data (which is already public) would have been handed over to whoever is alleged to have requested it to use it for whatever they so wished to use it for.
Phungula has been working, as he confirmed to iAfrikan, in the Direct Marketing industry in South Africa for the past decade. Among others, he does lead generation work for various clients through his company, Hi-Pixel Communications.
"Yes I do lead generation and have been doing that for the past 10 years. I work as an affiliate with company working directly with Insurance and lending partners and generate sales leads for the them in return for commission. Currently its Olico which is one of the biggest lead generation companies in SA and 3 way marketing (but I have not worked with them recently)."
We take you through everything you need to know about the Experian Data Breach. What their CEO, Ferdie Pieterse has shockingly said, what the banks are saying, and a social engineering incident that led to a 77-year-old woman losing over R100,000...(more)
To make this strange development even more strange, it is alleged by several people that this is not the first time that Experian has taken out an Anton Piller order against someone they know. Allegedly, Experian South Africa took out an Anton Piller order against Vivian Pather, now founder and Managing Director of credit bureau XDS and previously Information Technology Director at Experian.
The circumstances around this alleged Anton Piller order are not clear and Experian were cagey when questioned about it.
"We have been advised there is possible confidentiality regarding dealings with Vivian Pather and thus we cannot comment on this at this stage. Can you provide us with more information around this question," said an Experian spokesperson.
Subcribe to our Daily Brief newsletter
Insights and analysis into how business and technology impact Africa. We promise to leave you smarter and asking the right questions every time after you read it. Sent out every Monday to Friday.
Press Release: Experian Data Breach by SABRIC
Article: Experian has experienced an alleged data breach affecting millions by iAfrikan.com
Article: Ferdie Pieterse, CEO at Experian South Africa, answers questions on data breach by iAfrikan.com
Interview: Information Regulator of South Africa shares information on Experian data breach by iAfrikan.com