Credit bureau Experian said on Wednesday it is pursuing both criminal and civil charges against the perpetrator who walked off with the records of millions of South Africans after impersonating one of the company’s clients.
In a joint media statement issued by Experian and the Information Regulator, Experian Africa CEO Ferdie Pieterse said: “While the investigation continues, we can confirm that civil and criminal procedures are being pursued against the perpetrator as we take every step available to us to limit the impact to citizens and businesses in South Africa.”
TechCentral reported on 19 August that the data breach had exposed the personal information of as many as 24 million South Africans and almost 800 000 businesses to a “suspected fraudster”, who remains unnamed. News of the data breach – which, Experian has insisted, was not a hack – was first disclosed by the South African Banking Risk Centre, or Sabric.
Later the same day, Experian issued a statement saying its investigations indicated that “an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian”.
“The services involved the release of information that is provided in the ordinary course of business or which is publicly available. We can confirm that no consumer credit or consumer financial information was obtained,” it said.
“Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes. Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.”
Apologies
In Wednesday’s statement, Pieterse apologised to South Africans for the incident and said the company has taken action to introduce additional controls to prevent this type of incident from occurring again. “We are working closely with all relevant authorities, including the Information Regulator, to help ensure data protection for all South Africans,” he said.
Data disclosed included consumers’ telephone numbers and in some instances addresses and employment details. “No consumer credit or financial information was obtained by the fraudster in this incident. The fraudster also obtained bank account numbers on some business entities,” Experian and the Information Regulator said in the joint statement.
Information Regulator chair Pansy Tlakula said Experian has “responded promptly to all our requests and has taken measures to protect the data of South Africans by engaging with multiple stakeholders, instituted actions to inform affected data subjects and other affected stakeholders, and put in place additional organisational measures to prevent unauthorised access from happening again”.
“We will continuously work with Experian to monitor compliance with the Protection of Personal Information Act and to ensure that the data of South Africans is appropriately processed, secured and protected. The recent spike in data exposure incidents in South Africa reinforces the importance of understanding not only cybercriminal activity but also sophisticated fraud impersonation techniques and how they relate to the protection of personal information.” — © 2020 NewsCentral Media