If you’ve ever checked your credit record, or had a company check your credit record on your behalf, your personal information may have been compromised. In what looks like a clever form of social engineering, Experian handed over the records of 24 million South African and 793 749 South African businesses to a shady third party. This was according to information revealed by the South African Banking Risk Centre (Sabric) yesterday.
Experian, one of the largest credit bureaus in the country, says it has reported the breach to law enforcement authorities.
In a statement on its website, Experian said their investigation indicated that “an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services” from the credit bureau.
Experian adds the information that was obtained is “provided in the ordinary course of business or which is publicly available”. In the same statement, it also assures “no consumer credit or consumer financial information was obtained” from the breach.
Experian has not confirmed if consumer personal information was obtained in the breach. To affirm this, Experian says “the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services”.
In what seems like a SWAT attack, the credit bureau impounded the individual’s hardware and “the misappropriated data was secured and deleted”.
Experian Africa’s CEO, Ferdie Pieterse, said in a statement: “I would like to apologise for the inconvenience caused to any affected parties. Our first priority is to help and support consumers and businesses in South Africa.”
Banks use the information provided by credit bureaus such as Experian to help them assess the feasibility of a client’s ability to pay back a loan.
“Banks have been working with Experian and Sabric to identify which of their customers may have been exposed to the breach and to protect their personal information, even as the investigation unfolds,” Sabric said in the statement.
Standard Bank, Africa’s largest bank by assets, has said some of its clients are among victims of the breach. “We have proactively stepped up our authentication processes and our fraud prevention and detection strategies to protect our clients,” Standard Bank said in a statement. Due to the sensitive nature of the breach, it could not add any more details.
FNB released a statement that cautioned customers to be extra vigilant and to “follow its recommended security precautions”, which can be found on Security Centre on the FNB App and Online Banking. It is also communicating directly to customers who may have been impacted from a banking perspective.
Experian says its investigations do not indicate that any misappropriated data has been used for fraudulent purposes.
This is a chilling lesson for Experian to learn, considering the recent implementation of the Protection of Personal Information (POPI) act.