How Experian was duped into handing over data on 24 million South Africans

Credit bureau Experian has revealed how it was duped into handing over the personal details of millions of South Africans.

“Our investigations indicate that an individual in SA, purporting to represent a legitimate client, fraudulently requested services from Experian. The services involved the release of information which is provided in the ordinary course of business or which is publicly available,” the company said in a statement.

The SA Banking Risk Information Centre (Sabric) said the data breach resulted in the exposure of personal information of as many as 24 million people and 800,000 business entities.

Experian, however, downplayed the impact of the incident on consumers, saying it had caught up with the individual before the data could be misused.

“We can confirm that no consumer credit or consumer financial information was obtained. Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes,” the company said in a statement.

Investigations had revealed that the individual “had intended to use the data to create marketing leads to offer insurance and credit-related services”.

Ferdie Pieterse, CEO of Experian SA explained to Bruce Whitfield on radio 702 how the breach happened, but stressed that the company systems had not been “hacked”.

“This is an isolated incident that we're dealing with, where a perpetrator using very smart social engineering techniques put himself forward as a known customer of Experian and then contracted with us in the normal course of business and in that way illegally obtained the records of 23.4 million individuals.” 

The company said that it had sought the intervention of authorities, who descended on the individual's property and conducted a raid.

“[This] resulted in the individual’s hardware being impounded and the misappropriated data being secured and deleted. We are continuing the legal process in this regard, including co-ordination with law enforcement and relevant authorities.

“Furthermore, upon discovering the incident, Experian SA notified the National Credit Regulator and the Information Regulator of the incident. We have also been engaged with Basa [Banking Association SA], Sabric and the prudential authority at the Reserve Bank. Experian SA bureau’s infrastructure, systems and database have not been compromised.”

Pieterse apologised to clients: “I would like to apologise for the inconvenience caused to any affected parties. Our priority is to help and support consumers and businesses in SA,” said Ferdie Pieterse.

The company urged individuals to regularly check their credit report by visiting www.mycreditcheck.co.za to ensure that they were aware of activity on their credit portfolios. The service is free.

TimesLIVE