Experian says it recovered and deleted data on 24 million South Africans after giving it to random ‘marketing’ person

Credit reference agency Experian has suffered what it somewhat understatedly described as a “data breach” after the firm itself transferred the details of 24 million South Africans to one individual.

The credit reference agency admitted on its South Africa website that the “isolated incident” took place over what it said was a “fraudulent data enquiry”.

24 million people’s data was transferred to someone who contacted Experian and – as the company alleges – pretended to be a representative of a legitimate client. Included in that transfer were the details of 793,749 “business entities”, according to the Morningstar financial newswire.

“Our investigations indicate that an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian,” the company said. “The services involved the release of information which is provided in the ordinary course of business or which is publicly available.”

The Register is unaware of any legitimate public source of detailed data relating to more than 40 per cent of the population of an entire nation state, hoards of information leaked from other data grabs by more sophisticated hackers notwithstanding. South Africa has a population of around 56 million.

Experian said it had obtained an Anton Piller court order to seize and destroy the data it unwisely transferred to the individual, which is a type of search warrant in civil legal proceedings. In a statement the data broker said the order “resulted in the individual’s hardware being impounded and the misappropriated data being secured and deleted”.

It added: “We can confirm that no consumer credit or consumer financial information was obtained. Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes. Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.”

The South African Banking Risk Centre said in a statement that local financial institutions were trying to identify “which of their customers may have been exposed to the breach and to protect their personal information, even as the investigation unfolds”.

The Register has asked Experian to comment.

Dave Barnett, head of edge security at infosec vendor Forcepoint, observed that “there is a ton of data within credit agencies” and said the allegedly illicit approach to Experian was unsurprising.

“The criminal Willie Sutton was asked once why he robbed banks, and his response was simple: Because that’s where the money is,” he sagely intoned to El Reg. “Data has value and there is a ton of data within credit agencies so it is no wonder Experian was targeted in this way. However, it is comforting that the attacker has been identified, steps are being taken to protect the victims, and the regulatory controls are working.”

He concluded: “In this case, it really does feel like ‘another day, another data breach’. Criminals will always gravitate towards the shiny objects and there is nothing brighter than personal and financial data.”

In 2018 Experian’s website was found to be exposing credit account unlock codes. Accounts can be frozen by their rightful holders to prevent criminals from using stolen credentials to apply for loans; exposing the PINs defeated that safeguard. The bug has since been fixed. ®

READ MORE HERE