The data breach at Experian, one of SA’s largest credit bureaus, will probably go down in history as the country’s largest and a self-created blunder. 

Experian accidentally engineered the data breach when it willingly handed over personal details belonging to as many as 24-million consumers and nearly 800,000 businesses to an individual that it now describes as a “fraudster”. 

According to Experian, it was duped into handing over consumer information such as ID numbers, telephone numbers, and physical and e-mail addresses to an individual who claimed to represent the credit bureau’s undisclosed client. In other words, the individual was supposedly authorised to have that confidential information, which is provided to clients “in the ordinary course of business”.

The credit bureau industry holds sensitive data on millions of consumers as it collects their personal information from banks, retailers and other businesses. The industry is an important function in SA’s credit system as banks, retailers and real estate landlords collect data from credit bureaus such as Experian to determine clients’ ability to pay back loans or financial fitness to enter into a residential lease agreement. 

Experian insists that the data breach has been “contained” as no consumer credit information or financial information was obtained by the suspected fraudster or “has been used for fraudulent purposes”.

“Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services,” the company said in a statement last week. 

But that sensitive information landed in the wrong hands is enough to create panic — and rightly so.

Experian said it had seized the hardware that the suspected fraudster had stored the personal information in, which was then “deleted”. It seized the hardware by seeking an Anton Piller order via the courts — an application that is done in secret to allow for search and seizure procedures without prior warning to the affected party to secure evidence. It’s unclear if Experian launched criminal charges against the suspected fraudster. 

Experian didn’t respond to Business Maverick’s request for comment through emailed questions at the weekend by the time this article was published. But its CEO Ferdie Pieterse offered an apology to customers:

“I would like to apologise for the inconvenience caused to any affected parties.” (We will update this article when we receive Experian’s response)

According to Business Insider, Experian handed over the sensitive information to the suspected fraudster between 24 May and 27 May. The company detected the breach nearly two months later on 22 July, applied for the Anton Piller order on 13 August, and only publicly announced the data breach on 19 August. 

Asked why it didn’t immediately inform the public about the breach when it was discovered, Experian told Business Insider:

“[W]e delayed publishing the incident due thereto that the Anton Piller is reliant on the element of surprise and we, therefore, could not make the incident public.” 

Fines and jail time

The data breach would normally land Experian in hot water with SA’s information regulator, whose office places the responsibility of safeguarding sensitive information to companies under the Protection of Personal Information Act (POPI). Under the POPI Act, the regulator could slap Experian with an administrative fine of up to R10-million or its directors could face imprisonment for a period of not more than 10 years. 

But Experian and other companies are not liable to the POPI Act as sections of it came into effect from 1 July 2020 and companies have until 1 July 2021 to comply with the Act’s various obligations.

Experian has already informed the information regulator, advocate Pansy Tlakula, about the data breach. 

The data breach has prompted SA’s banking sector to be on high alert; commercial banks including Standard Bank, FNB, African Bank, Investec, Absa and Nedbank have informed customers that they could potentially be victims of the incident. 

As of Friday 21 August 2020, the banks warned customers to be vigilant as their compromised personal information could be used in identity theft attempts or to dupe customers into handing over more personal information. Although banks said the banking-specific information belonging to customers (only personal information) was not compromised, they have moved to beef up their fraud prevention/detection strategies. 

Experian’s data breach incident has raised important questions about the strength of its security control measures when all it takes is an imposter for sensitive information to fall into the wrong hands. 

After all, incidents, where sensitive information is compromised are usually caused by external forces such as sophisticated cyberattacks — like the one faced by life insurance company Liberty, when hackers breached its IT systems in June 2018.

At the time, hackers claimed to have seized confidential information on Liberty systems — including banking details and medical reports of consumers — alerted the insurer to potential vulnerabilities in its IT systems and demanded payment, which the company refused. Short-term insurer Momentum Metropolitan recently said it had suffered a data breach, although it said investigations indicate that no client data had been accessed. DM/BM