Data broker Experian on Wednesday confirmed the worst fears and widespread suspicions of the data security industry: despite its early claims last month that the data breach had not extended beyond the original culprit, in fact, it’s now out there on the internet.

Although the leaked information is in itself not particularly private or sensitive, the consequences of the breach are now exponentially more severe, because once the information reaches the internet, its potential use by bad actors is much more likely and the ways it can be put to use are much wider.

The South African office of Experian, an Irish-domiciled multinational consumer credit reporting company, said in a statement that it “continues to investigate the isolated incident in South Africa involving a fraudulent data inquiry”.

“As a part of this investigation, we have identified files that we believe contain Experian data relating to the incident on the internet. We continue to investigate these files and will take all steps available to us to reduce further dissemination if possible.”

This is massively different from the company’s original statement after the breach became known and was reported to the authorities, which spoke of an “isolated incident”. At that time, the company said, “Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes.”

What happened is that Experian got caught by a con artist. This individual purported to represent a legitimate client and fraudulently requested services from Experian, the company said.

At the time, the company said, “We can confirm that no consumer credit or consumer financial information was obtained.”

However, it now turns out that this may not be entirely true. There were apparently two separate databases; one concerning individuals and one with company information.

The main items of the dataset with individual information are people’s names, addresses, ID numbers, cellphone numbers, their employers, occupations and their emails.

To say this is not “consumer financial information” is, therefore, strictly speaking, true. But to suggest or imply this information is not valuable in the hands of bad actors would be a fairly severe understatement.

However, the real problem is with the corporate dataset, which covers about 800,000 businesses.

This dataset includes a much richer catalogue of information, including bank accounts, VAT numbers, registration numbers, adverse references and a host of other data. 

Not all of this information was provided by Experian.

The company said on enquiry that the fraudster provided Experian with an input file (data request file) containing the names, surnames and identity numbers of 25-million consumers. 

“He requested telephone numbers, addresses and employment information to match the information he already had. We verified the identity number,  provided telephone, address and/or employment information on roughly 20-million consumers. We did not provide personal credit or financial information.”

“The fraudster provided Experian with a second input file (data request file) containing the names, addresses and registration dates of about 790,000 businesses. We removed duplicates and provided data back. Therefore, around 607,000 businesses were affected.”

Still, the commentary has been harsh. In just one example of many, the founder and CEO of tech company iAfrikan, Tefo Mohapi, wrote on his blog: “Experian have continuously tried to downplay this data breach…” BM/DM