As more information comes to light regarding the high profile breach of Experian South Africa our worries about this breach grow.
On Wednesday evening it was announced that 24 million South African citizens and 793 749 businesses had been affected by a data breach.
We use the word breach here very loosely as Experian South Africa seemingly gave a fraudster access to all of this data because they claimed to be a legitimate client.
But important questions are being raised about this breach since it hit headlines. The most worrying of which is that the South African Banking Risk Centre (SABRIC) broke the news before Experian.
Most worrying for us is that in an interview conducted with the Office of the Information Regulator, iAfrikan discovered that Experian had known about this breach since July.
“The Regulator is aware that the breach was purportedly discovered on the 22nd July 2020. Yet, Experian approached the Regulator on the 6th August 2020 for a meeting,” the regulator said.
“On 6th August 2020 Experian, a credit bureau in South Africa sent an email to the Information Regulator (IR) and requested an urgent meeting to ‘discuss a matter’. On 7th August 2020 the Regulator met with Experian where it was advised that a breach was experienced. The Regulator advised Experian to report the breach in accordance with Section 22 of POPIA. Experian then sent a report to the Regulator on 14th August 2020,” the Office of the Information Regulator told iAfrikan.
The Information Regulator went on to say that in the report filed on 14th August Experian said that it was a “victim of a fraudulent misrepresentation that occurred in May 2020”.
That means four months passed without Experian saying a thing to the 24 million South African citizens and 793 749 businesses that were potentially impacted by this breach.
Now, the Protection of Personal Information Act does allow for the delay of a notification of unauthorised access to data but only if the Information Regulator determines that notifying people would impede the investigation.
The Act also states that notification of a breach “must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system”.
Why then Experian waited until 6th August to contact the Office of the Information Regulator is bizarre.
On top of that the firm appears to be very lackadasical about informing South Africans as to whether they are affected by this breach. Instead, Experian has seemingly put that responsibility on banks.
And to add even more insult to injury South Africans don’t know what data was potentially compromised, only given a warning to check their credit profile regularly.
We’re flabbergasted at this entire affair and the nonchalance that Experian appears to be handling this matter with.
For South Africans who are worried, there are a few things you can do to safeguard yourself from fraud and identity theft but it requires constant vigilance thanks to one person pretending to be a CEO and pulling the wool over Experian’s eyes.