Late on Wednesday evening Experian revealed that it had been the target of a successful data breach that affects as many as 24 million South African citizens and 793 749 businesses.
“Experian South Africa is continuing to investigate an isolated incident in South Africa involving a fraudulent data inquiry. Our investigations indicate that an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian. The services involved the release of information which is provided in the ordinary course of business or which is publicly available,” wrote Experian in a consumer notification.
The firm says that upon discovering the incident it alerted the National Credit Regulator and the Information Regulator as this incident likely means there is trouble from the perspective of the Protection of Personal Information Act.
Experian is also working with the South African Banking Risk Centre (SABRIC), Banking Association of South Africa (BASA) and the South African Reserve Bank (SARB) to identify who is South Africa is affected by this incident.
Thankfully, Experian reports that “no consumer credit or consumer financial information was obtained” and that the suspect intended to use the data to create marketing leads to offer insurance and credit services.
“We have identified the suspect and confirm that Experian South Africa was successful in obtaining and executing an Anton Piller order which resulted in the individual’s hardware being impounded and the misappropriated data being secured and deleted. We are continuing the legal process in this regard, including coordination with law enforcement and relevant authorities,” said Experian.
The danger however is that should this compromised data fall into the wrong hands, it can be used by criminals to phish more information from a person and potentially steal their identity.
“The compromise of personal information can create opportunities for criminals to impersonate you but does not guarantee access to your banking profile or accounts. However, criminals can use this information to trick you into disclosing your confidential banking details,” chief executive officer at SABRIC, Nischal Mewalall, said in a statement.
SABRIC goes on to recommend that South Africans who suspect they may have been compromised apply for a free Protective Registration listing with the South African Fraud Prevention Services.
“This service alerts SAFPS members, which includes banks and credit providers, that your identity has been compromised and that additional care needs to be taken to confirm that they are transacting with the legitimate identity holder. Consumers wanting to apply for a Protective Registration can contact SAFPS at [email protected],” explains SABRIC.
Experian meanwhile offered an apology.
“I would like to apologise for the inconvenience caused to any affected parties. Our first priority is to help and support consumers and businesses in South Africa,” said Experian Africa’s CEO, Ferdie Pieterse.
This marks the second major cybersecurity incident involving a local firm in inside of a week. On Monday Momentum Metropolitan revealed that it had been hit by a cyber attack.
It’s clear then that big firms aren’t taking the constant barrage of warnings to be alert regarding cybercrime seriously. We’re aware that accidents happen but one person managing to compromise 24 million South African citizens and 793 749 businesses is a massive accident.
These incidents are happening far too often lately and we would hope that the Information Regulator would hold these firms accountable for these data breaches.
Perhaps we’re too optimistic but something has to be done or one day 24 million South African citizens and 793 749 businesses might just have all of their private information compromised.
We urge our readers to be vigilant and verify every single request for information. Change your passwords regularly and never share that information with anybody.[Source – Experian]