First published in DM168. 

These invasions are already features of the modern digital experience around the world, and the SA example follows such varied instances as Twitter being duped out of information in July on accounts of high-profile individuals like Barack Obama, Elon Musk and Bill Gates, no less. On the other extreme, earlier this year, a cool three billion records were accessed from Clearview AI, a face recognition company. 

Data breaches are becoming more regular, larger in size and more effective. If data has become the new oil, the wild peculiarities of the oil industry are going to become the new normal – and we’d better brace ourselves for it.

So what actually happened in the Experian case, and what can we learn from it? The first part of the question is actually part of the problem because the details are a bit fuzzy, possibly because the participants themselves are perhaps understandably worried about compounding the nightmare by releasing information that later turns out to be wrong. 

The timeline went something like this: on 19 August renowned tech journalist Duncan McLeod reported on website techcentral that credit bureau Experian had suffered a massive data breach, exposing the personal information of as many as 24 million South Africans and nearly 800,000 businesses to a “suspected fraudster”. 

McLeod was reporting on a statement released by the South African Banking Risk Centre (Sabric), which said Experian had reported the incident to law enforcement authorities and was working with “appropriate” regulatory authorities. 

The centre said South African banks have put in place “robust risk mitigation strategies to detect potential fraud on accounts and protect their customers”. You have to willfully suppress your cynicism at that statement, particularly since the breach was clearly not the work of a tech genius punching complicated algorithms into a laptop as Hollywood would have us believe, but it was duped out of Experian by a bog-standard con artist posing as a client. What’s worse, the information was willingly handed over on nothing more sophisticated than a memory stick. Yeee-ouch!

Anyway, up to this point, Experian has said nothing. First mistake. To be fair, as soon as the information was out, Experian did put a notice on their website later in the day. But reading this statement, you would think someone accidentally spilt hot coffee on their mouse pad. 

What was gleaned was information “that is provided in the ordinary course of business or which is publicly available. We can confirm that no consumer credit or consumer financial information was obtained.” Turns out that last bit was kinda iffy.

They can put out a call centre request and if they know just some of your details, they can come across as a figure of authority wanting to help. Next thing, you have “refreshed” your bank password and your money is gone. If only one in a hundred falls for it, that’s still 240,000 bank accounts. 

Anyway, we can all rest easy. “Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes,” the statement said. But people should be on guard. 

This is the kind of reaction we have come to know and love from what might be called the “data community”. We can summarise it thus: there is a problem but it’s actually not a problem, and to the extent that it is a problem, it’s your problem. The headline of the story said it all: Experian data breach: It’s not as bad as feared.

Well, that sort of depends on what you fear… or what you should fear. Experian said in its statement that it had identified a suspect and obtained an Anton Piller court order against them. This resulted in the suspect’s hardware being impounded and the misappropriated data being secured and deleted. 

But there is a problem here too. It turns out that the breach actually happened between 24 May and 27 May. The company detected the breach nearly two months later on 22 July, applied for the Anton Piller order on 13 August, and only publicly announced the data breach on 19 August. 

There are some pretty big gaps here. What are the chances Experian, which offers ironically, services in combating data breaches, was kinda hoping this could all be buried on the qt? After all, the company said: “Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.” So you see, no problem.

Well, the banks were having nothing to do with that, because there is a problem. First, if you had been caught, you would say that, wouldn’t you? What you wouldn’t say is you handed it to a friendly guy from Eastern Europe. Second, the intention of fraudsters who target what is laughingly known as “public information” is that it is used as a lever. 

They can put out a call centre request and if they know just some of your details, they can come across as a figure of authority wanting to help. Next thing, you have “refreshed” your bank password and your money is gone. If only one in a hundred falls for it, that’s still 240,000 bank accounts. 

And the loser here wouldn’t be Experian but the banks, who would be dealing with some very angry clients. So banks were forced to put out carefully worded statements. The aim was to ensure clients would not get paranoid about their data but also that they should be paranoid about their data, because the ultimate defence against phishing scams is not sophisticated algorithms but users themselves. 

And that is the ultimate problem; banks want this to be our problem, and in some ways it is. But when you have buckets of information that can be reduced in size to a book of matches, you have what might be called a volume conundrum. 

Crimes that were once impossible because of the sheer volume of data involved are now eminently possible. And putting the best possible gloss on this, the Experian example, a close shave in some ways, should be a wake-up call to us all. BM/DM