Credit reporting agency handed data to fraudsters claiming to represent ‘legitimate client’
UPDATE Experian South Africa has warned of a data breach after an unnamed fraudster obtained information on the country’s residents by posing as a client.
In a statement issued by the credit monitoring agency yesterday (August 19), Experian said it had identified the offender, who allegedly intended to use the data to create insurance and credit-related marketing leads.
A successful court order resulted in the data being deleted from the individual’s devices, Experian said.
“Our investigations indicate that an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian,” the statement reads.
“The services involved the release of information which is provided in the ordinary course of business or which is publicly available.”
According to Experian, no consumer credit or consumer financial data was compromised.
The agency also said its investigations “do not indicate” that any data has been used for fraudulent purposes.
Experian did not confirm how many people were potentially impacted by the incident, but reports from the South African Banking Risk Centre (SABRIC) suggested that as many as 24 million citizens and 794,000 businesses could have been affected.
Despite assurances from Experian that the data in question had been destroyed from the perpetrator’s device, it has since been discovered online.
Data including government-issued ID numbers, email addresses, phone numbers, and other personal details were available to download within a publicly-accessible file on Swiss website WeSendIt, according to local media.
South African title Sunday Times reported that South African regulators are working with Swiss authorities to prevent the spread of the leaked data.
South African Information Regulator chair Pansy Tlakula said that a whistleblower alerted the agency to the leak. Tlakula said that Experian have confirmed that the data came from the recent breach.
“Our investigation will review absolutely everything around Experian’s investigation. We will not let this go,” Tlakula said.
“The breach involves the cross-border flow of personal information. This is unacceptable. Millions of citizens’ and businesses’ personal information is on the internet with no proper control over it.”
The regulatory body is also working to determine whether any banking details were exposed online.
Staff (awareness) shortage
Javvad Malik, security awareness advocate at KnowBe4, said: “Having robust technical security controls in place is essential for all organizations today.
“But in addition, it is equally important for organizations to have procedures that support security, and ensure all staff receive appropriate security awareness training.
“We continue to see more and more high-profile attacks take place with social engineering attacks – whether that be to get an employee to hand over credentials, set up a new payment, or send sensitive data.
“We will likely see more organizations targeted by social engineers, and therefore investing in staff is of paramount importance.”
This article has been updated to include more information on the breach, including that the data was made available online. The Daily Swig has reached out to Experian for further comment.