Data from huge Experian breach found on the internet

The personal data of millions of South Africans, "stolen" in one of SA's biggest data breaches earlier this year, has been discovered on the internet, despite assurances that the information had been recovered.

The failure to retrieve the data and resolve the leak has left 24-million people and nearly 800,000 businesses potentially exposed to online fraudsters.

The information, held by credit bureau giant Experian, includes data such as cellphone and ID numbers, addresses, banking and work details and e-mail addresses.

The dumping of the data on the Swiss-registered data transfer website WeSendit has prompted a scramble to plug the leak and find out who is to blame for the theft.

Consumer protection lawyer Trudie Broekmann said people should be afraid.

"Credit bureaus list your income, assets, career history including reasons for termination, every account you have opened or loan taken, monthly instalments, payment history, every default judgment against you, your family relationships, and addresses and contact details."

News that the data hack, which the Hawks are investigating, has not been resolved triggered a scramble this week by SA's authorities to try to stop the information being traded.

South African Information Regulator chair Pansy Tlakula said on Monday an independent cyber forensic investigator had been appointed to review an internal investigation conducted by Experian. It will involve Switzerland's federal data protection and information commissioner.

"Our investigation will review absolutely everything around Experian's investigation. We will not let this go," Tlakula said.

"The breach involves the cross-border flow of personal information. This is unacceptable. Millions of citizens' and businesses' personal information is on the internet with no proper control over it."

Tlakula said the file uploaded onto WeSendit contained the details of 24-million people and almost 800,000 businesses, including "the banking details of 24,838 businesses".

"We are trying to establish if the banking details of individuals have also been compromised," she said.

A tip-off from an anonymous whistleblower made Tlakula aware of the ominous new twist in the saga.

"Experian gave assurances all the data was retrieved. This is after they obtained a court order and seized electronic devices from the person they believed responsible for the breach," Tlakula said. "Shortly after the assurances, a whistleblower outside of Experian alerted us to the data being transferred via WeSendit. We questioned Experian last Friday. They confirmed it was their data."

Contacted for comment, WeSendit CEO Jens Herbst admitted the South African information had been uploaded onto the company's system. "We deeply regret that our platform has been misused to send protected data," he said.

Herbst said in an e-mail that for data protection reasons, the company has no access or insight into the data of its customers, "which is sent encrypted".

He blamed a "Russian attacker" for using the service to upload and transfer the South African data.

"We have determined the attacker was from Russia and had sent [the] data via a proxy server. It is no longer possible for the attackers to send data via our platform.

"WeSendit was [also] attacked. Our security measures recognised this and excluded Russia to prevent the illegal proliferation [of this data transfer]."

Asked if it is working with the information regulators or the Hawks, Herbst said WeSendit does not co-operate with any government or authority.

He said it could not say when the data had been uploaded or accessed because "as a Swiss provider, we are obliged to delete all data and records from our servers irretrievably".

Shift in focus

In August, the focus of the data breach investigation switched to data marketing businessman Karabo Phungula, who was said by Experian to be a suspect in the leak. He has denied any involvement.

Phungula, whose Soweto homes were raided by a court sheriff, cyber forensic investigators and Experian officials on August 18, is director of Hi-Pixel Communications, a Johannesburg data marketing business.

"My two cellphones and computer, which they said I used to take the data, were seized," he told the Sunday Times.

"Experian says they deleted information, but there was no evidence to delete."

Phungula said he had not been questioned by police. He said his home was burgled several months ago and his laptop stolen. He claimed he was being framed after a R5.6m deal with credit bureau company Compuscan went sour in 2017. The deal was to upload identify numbers onto its systems. Experian bought out Compuscan in September 2019.

Phungula said he did not know of WeSendit.

He said his business involved generating potential sales leads for companies, including insurance firms.

Digital forensic investigator Craig Pedersen said the stolen data is valuable not only because it contains phone and identity numbers, but because of the banking details.

"Identity numbers usually sell for 15c per user. Add banking numbers, and people on the black market will pay up to $1.50 [R25] per record. These records are potentially worth millions of rands.

"The impact will be immense because data is never just bought once on the black market. It's sold multiple times."

"In the terms of value, this is probably SA's biggest leak. It's valuable because of what you can do with it, like obtain loans and open online retail accounts."

Craig Rosewarne, director of Wolfpack Information Risk, said: "Looking at Stats SA population figures, this leak could easily mean nearly 90% of the adult working population has had their data stolen."

On Phungula's allegations that he had been framed, Experian spokesperson Michelle Samraj said: "It is significant that [Phungula] has not opposed the application [for the order], as was his right, if he believed that the order was wrongly granted."

She said Experian's systems had not been hacked and that the data was "erroneously shared with the fraudster purporting to represent a legitimate company".

On the leaked data she said: "Not all the data in the files was provided by Experian."

Samraj said Experian discovered the leak while following up with a client on an outstanding invoice.

"Experian entered into a recovery process, conducted further checks and determined the transaction was fraudulent."

She said data matching keywords which was found on Phungula's devices was deleted. After further investigations they found files with Experian data, relating to the theft, on the internet.

"The files contained the same data provided to the fraudster… these files can no longer be accessed… the data was not offered for sale."

Samraj said their announcement in August that the data was recovered "was made in good faith".

She confirmed Experian had never dealt with Phungula.

"Experian acquired Compuscan in 2019, which had a once-off client-relationship with the perpetrator in 2017." She confirmed there had been a dispute. "Following legal advice, neither Compuscan nor Experian are pursuing litigation with Phungula."

Hawks spokesperson Brig Hangwani Mulaudzi said the serious commercial crimes and cybercrimes units are investigating.

South African Banking Risk Information Centre CEO Nischal Mewalall said last month that banks were working to identify which of their customers may have been exposed to the breach and to protect their data.