Back in the heady days of August, Experian South Africa revealed that it had been the target of a “fraudulent data inquiry”.

From what we can gather, an individual called up Experian South Africa claiming to be the director of a known company and procured services from Experian. The firm then handed over the data the person requested.

At the time we were told by Experian that “no consumer credit or consumer financial information was obtained” and unfortunately today we learned that this was incredibly inaccurate.

Working with haveibeenpwned owner, Troy Hunt, iAfrikan has uncovered a database containing data from Experian which is available on publicly viewable websites and forums.

Upon investigation, the database was found to contain address information, emails, employer names, phone numbers ID numbers and more of South Africans who were affected by this breach. The database only contains 1.3 million email addresses but worryingly “most contained government issued identity numbers, names, addresses, occupations and employers, amongst other person information.”

The database also contains information on the 793 749 businesses that were affected and data includes a range of company information including banking information, VAT numbers and much more.

The danger here is that with all of this information in hand, a cybercriminal’s job is trivial at worst.

Consider for a moment you get a call from your “bank”, they can confirm all of your information accurately down to your occupation. You assume they are trustworthy because, well, who else would have all this information right? Now imagine that’s not your bank but a cybercriminal with access to this database.

Given that the breach happened in May 2020 and Experian only discovered said breach in July 2020, the fact that these databases are online is not surprising. Data like this can fetch a pretty penny on dark web market places because they make social engineering and phishing attacks so much easier.

Even when faced with the fact that this database is online, Experian told iAfrikan that no credit or financial information was obtained by the fraudster. Clearly our definition and Experian’s definition of financial information are worlds apart. That or bank codes, branch names, and bank account numbers aren’t considered financial information anymore.

To put it as politely as possible, Experian has underplayed the danger this breach has for South Africans and South African businesses.

Quite frankly we’re fed up with this lackadaisical approach to cyber security from local firms and this is not even considering the breaches and hacks we don’t hear about. It is imperative that we start taking cybersecurity seriously and that mistakes such as the above are the exception and not the rule.

Do better Experian, this is not good enough.

We highly recommend reading iAfrikan’s full report here. Just prepare yourself for how much data was gleaned.