The Experian data breach has not been contained, despite claims to the contrary. Not only has it exposed the personal information of more than 24 million South Africans, 800 000 businesses and the banking accounts of around 25 000 firms, but the multinational credit information company has no control of that data - despite its claim the data has been seized and deleted.
Not only has the data been lost, but it has been “enriched”, by linking ID numbers to telephone numbers, physical addresses, employee numbers and bank accounts which puts individuals - and the companies whose banking details are now public - at immense risk.
And now, the Information Regulator has suggested public interest groups should launch a class action against Experian to sue for losses, because the office’s hands are tied as the Protection of Personal Information Act (Popia) is not yet fully in effect.
In July, Experian notified the Information Regulator and the National Credit Regulator that it had been deceived into handing over the personal information of millions of people to a person posing as a client.
The company maintains the breach was not a “hack”; the fact that it willingly gave over the information to someone who duped its staff points to serious lapses in its systems.
Last week, Information Regulator Pansy Tlakula questioned how Experian had secured the information in its possession. She told the SABC her office was unhappy with the fact that Experian had only published notices on its website, in the Government Gazette and newspapers.
She said due to the country’s electricity and access to internet issues, she wants Experian to notify each of the data subjects personally.
“Those whose banking accounts have been compromised have received general notifications; Experian needs to do much more,” she said.
That requirement could prove far more onerous on the company than what is required under Popia: Once it goes into effect in July 2021, a company can be fined up to R10m or individuals face 10 years in prison for breaches of personal information, which a leading Popia expert, Peter Hill, said would be a drop in the bucket compared to the costs associated with notifying each data subject.
Hill said if Experian had to notify 24 million members of the public and more than 800 000 companies about these breaches as required by law, they would need to employ more staff.
Even at a cost of R10 per person/data subject, this could have enormous cost implications for the company.
“Never mind the reputational damage this has caused,” Hill said.
He said the breach, which had been underplayed, was so severe members of the public should consider their personal information as compromised. And he’s accused Experian of not doing enough to secure the personal information it held in its possession.
Hill, one of the experts who drafted Popia, said Experian discovered the breach while reconciling unpaid invoices. “Somebody got more information than they paid for.”
Popia limits the amount of personal information that can be collected. Personal data can only be collected for the purpose for which it is required; you can’t collect more than you need.
“Personal data's the new oil,” Tlakula said. “How do we know what companies do with our information? When you enter buildings, you’re asked all sorts of personal information - your licence, car registration, phone number. What do they do with that?”
In July, Experian claimed none of that data had been shared or compromised. Now, it’s emerged the information was found on the Swiss-registered data transfer website WeSendit.
Experian responds:
Ferdie Pieterse, chief executive of Experian South Africa, says that to date its Global Security teams have confirmed they have not yet observed the data being for sale on the internet (including the dark web) and there is no indication that this data has been used for fraudulent purposes.
“Additionally, various internal investigations were also launched to ascertain what the perpetrator intends to do with the data. Our investigations indicate the perpetrator intended to use the data, or make it available for use, for marketing services including offering insurance and credit products to consumers.”
However, an investigation between iAfrikan and Australian security researcher, Troy Hunt, founder of Have I Been Pwned? has revealed enough personal information has been released to carry out identity theft and facilitate financial transactions. Not only that, but the leaked company data contains credit or financial information.
Experian said it is working with law enforcement to pursue a criminal case against a suspect.
“The information was erroneously shared with the fraudster (purporting to represent a legitimate company) on 24 and 27 May 2020. Experian only became aware of the fraud on 22 July,” Pieterse said. At no point, he stressed, did Experian SA suffer a cyberattack.
Craig Pedersen, a digital forensics practitioner, said until companies who harvest and store large volumes of consumer data take proper ownership and responsibility these breaches will continue.
“There are loads of consumers in the bottom end of the market (including businesses) that don’t even know what Experian is - let alone the consequences of a breach,” he said.
“I believe Experian should be leading an immediate educational campaign at their own cost to educate the consumer and to show the savvy consumer what additional fraud prevention measures they intend implementing. A simple disclosure of exactly what was taken would go a long way to helping people understand the implications.”
Privacy specialist Ross Saunders said ID numbers are not enough to do harm: the danger comes in when that ID is “enriched”, linking it to an employee number and a bank account.
“It’s of course far worse when company details are involved, when directors’ and credit details, suppliers etc are accessed,” Saunders said.
There needs to be more vigilance, he said. “When my personal information was stolen, I got in touch with the Fraud Prevention Service. That’s protected me for years. It’s the best route for an automated safeguard on your credit records so if someone takes out credit, it stops fraud in its tracks.”
He said there were smarter ways to validate identity, via blockchain identification methods.
Experian has advised people to check their credit report by visiting www.mycreditcheck.co.za which they can do for free, for life. They will also receive free SMS alerts when a credit enquiry is made on their credit report from now until March 1, 2021. Also contact the South African Fraud Prevention Service to list your details and protect yourself.
* Georgina Crouth is a consumer watchdog with serious bite. Write to her at [email protected] or tweet her @georginacrouth.