Credit bureau Experian said on Thursday that no consumer credit information or financial information was obtained by a suspected fraudster and that the incident has been “contained”.

Experian Africa CEO Ferdie Pieterse said in a voice note e-mailed to TechCentral late on Thursday – the company declined an interview, citing a high volume of media requests – that the matter is “under control”.

Pieterse’s remarks come 24 hours after industry body, the South African Banking Risk Information Centre (Sabric), issued a statement saying Experian had suffered a huge data breach, exposing the personal information of as many as 24 million South Africans and almost 800 000 businesses to a “suspected fraudster”. This raised the spectre of a sharp rise in phishing and other attacks on South African electronic banking customers.

Sabric said Experian reported the incident to law enforcement authorities and was working with “appropriate” regulatory authorities.

“Banks have been working with Experian and Sabric to identify which of their customers may have been exposed to the breach and to protect their personal information, even as the investigation unfolds,” Sabric said in the statement. “Banks and Sabric have also been co-operating with Experian in their efforts to secure the data and ensure the perpetrators are brought to book.”

But Pieterse on Thursday hit out at Sabric, saying the release of its statement was “premature” and caused “unnecessary panic”.

‘Sensitive stage’

“At the time of Sabric’s statement on 19 August, we were still at a sensitive stage of the investigation and the apprehension of the fraudster,” he said in the e-mailed voice note.

“On behalf of Experian South Africa, I would like to apologise to anyone who is concerned and anxious about the event and to ensure you we have the matter under control,” Pieterse said.

“Our investigations indicate that an individual in South Africa, purporting to be represent a legitimate client, fraudulently requested services from Experian. The services involved the release of information that is provided in the ordinary course of business, all of which is publicly available,” he said.

“Experian has identified the suspect and the individual’s hardware has been impounded and the misappropriated data secured and deleted. We can confirm that no consumer credit or consumer financial information was obtained by the fraudster. We want to reassure South Africans that the data has been deleted. The information concerned was publicly available information and we believe the incident has been contained.”

Despite this, several major banks, including Nedbank, Absa and First National Bank, issued advisories to their customers on Thursday, warning them to be vigilant about potential phishing and other scams flowing from the data breach.