Source: Business Insider
Information apparently drawn from a massive leak of its data is “on the Internet”, credit bureau Experian admitted on Tuesday night.
To date the company has insisted it had contained the breach, after handing over data on millions of South Africans, and bank account details of businesses, to someone it describes as a fraudster.
Now it says it will work to stop the further spread of the information.
As part of its investigation, “we have identified files which we believe contain Experian data relating to the incident on the internet,” Experian said in a statement.
“We continue to investigate these files and will take all steps available to us to reduce further dissemination if possible.”
It also claimed – in direct contradiction to a timeline it has confirmed – to have taken “immediate steps to make sure that individuals and businesses in South Africa could take steps to protect themselves” once it became aware of the breach.
Experian announced the breach publicly in August, and banks started to issue warnings to their customers that the leaked information may be used to scam them.
What the company failed to mention, until questioned by Business Insider South Africa, was that it had handed over the information in late May, and noticed it had done so nearly two months later, in July.
It took nearly another month to investigate and obtain a private seizure order to recover the hardware on which the data had been stored.
Only after that did Experian tell consumers about the breach.
Having seized the hardware, the company said, it had contained the incident.
“We have been monitoring the various platforms (i.e. the dark web) to ascertain whether the data is being offered for sale. We also employed a leading digital forensic investigator to assist us with our efforts,” Experian said, when Business Insider asked how it knew the information had not been sold or distributed in the nearly three months it was with the “fraudster”.
“Also, from our internal investigations we ascertained that the fraudster conducts an insurance and credit services market place and uses the information to contact consumers in order to offer services to consumers.”
Experian has not said how it initially failed to detect the spread of the information, or exactly how it intends to contain the data this time around.
By Phillip de Wet for Business Insider SA
South Africa’s largest ever data breach has now been contained, says credit bureau Experian, which handed over the personal details of some 24 million people to an individual it now calls a fraudster.
But it is still not clear what happened between the end of May – when Experian handed over that data – and mid August, when that containment actually took place.
On Thursday Experian confirmed that what it terms “the release” took place on 24 May and 27 May. That was when it handed over data including ID numbers, telephone numbers, and physical and e-mail addresses of more than 23 million individuals and nearly 800,000 businesses to someone who presented themselves as authorised to have that information.
As of Thursday, South Africa’s largest banks are warning affected and potentially affected customers to exercise heightened vigilance, because that information could be used in identify theft attempts, or to convince people to hand over more information.
For all of June, July, and the first two weeks of August, customers were not aware of that possibility, though, as Experian first sought to plug the leak.
This week the company said it had secured the hardware the information had been stored on via an Anton Piller, a court order that allows for search and seizure without prior warning in order to preserve evidence in civil cases.
“[W]e delayed publishing the incident due thereto that the Anton Piller is reliant on the element of surprise and we therefore could not make the incident public,” the company told Business Insider South Africa on Thursday.
Experian said it had detected the breach on 22 July – 57 days after handing over the data.
“The fraud was detected once Experian struggled to contact the representative of the company on his mobile and then attempted to make contact on the company’s landline,” the company said in response to questions. “The actual person who was impersonated confirmed that he did not have any dealings with Experian.”
It immediately started to investigate, Experian said, but needed “to ensure that we have the necessary evidence that is required to apply for the Anton Piller order.”
It actually applied for that order on 13 August, 79 days after handing over the data.
The order was fully executed by 18 August – 84 days after the breach.
On Thursday Experian said it believes “that the incident has been contained”, after it seized hardware from the suspected fraudster and the data was “secured and deleted”.
Asked why it believed the data had not been sold or otherwise passed on in three months, the company said:
“We have been monitoring the various platforms (i.e. the dark web) to ascertain whether the data is being offered for sale. We also employed a leading digital forensic investigator to assist us with our efforts.
“Also, from our internal investigations we ascertained that the fraudster conducts an insurance and credit services market place and uses the information to contact consumers in order to offer services to consumers.
“Due to the serious nature of the Anton Piller order, we are not permitted to share any details around this.”
The company also reiterated that it believes the breach was not that big a deal, as the “consumer information concerned was publicly available information”.
By Sizwe Dlamini for IOL
Consumer, business and credit information services agency Experian has experienced a breach of data which has exposed personal information of as many as 24-million South Africans and 793 749 business entities to a suspected fraudster.
Experian confirmed in a statement on Wednesday that the breach had been reported to law enforcement and the appropriate regulatory authorities.
The company handed over information to a suspected fraudster, and the suspect had already been identified and the data deleted.
It said banks had been working with Experian and South African Banking Risk Centre (SABRIC) to identify which of their customers might have been exposed to the breach and to protect their personal information, even as the investigation unfolds.
Banks and SABRIC have also been co-operating with Experian in their efforts to secure the data and ensure the perpetrators are brought to book.
SABRIC chief executive Nischal Mewalall said the compromise of personal information could create opportunities for criminals to impersonate another person but did not guarantee access to banking profile or accounts. “However, criminals can use this information to trick you into disclosing your confidential banking details.”
“Should you suspect that your identity has been compromised, apply immediately for a free Protective Registration listing with Southern Africa Fraud Prevention Service (SAFPS). This service alerts SAFPS members, which includes banks and credit providers, that your identity has been compromised and that additional care needs to be taken to confirm that they are transacting with the legitimate identity holder,” said SABRIC.
Consumers wanting to apply for a Protective Registration can contact SAFPS at firstname.lastname@example.org.
SABRIC and SAFPS urged bank customers and other consumers to follow sound identity management practices to mitigate the risk of impersonation and fraudulent applications.
SAFPS chief executive Manie van Schalkwyk said: “Think of your identity information in the same way as you think of cash. Keep it safe and secure at all times, because once it is compromised, it can be used by anybody, often to impersonate you.”
It is also recommended that bank customers follow precautionary measures, including:
- Do not disclose personal information such as passwords and PINs when asked to do so by anyone via telephone, fax, text messages or even email.
- Change your password regularly and never share them with anyone else.
- Verify all requests for personal information and only provide it when there is a legitimate reason to do so.