Data breaches and leaks have become a common occurrence in South Africa in both the public and private sectors. During 2020 so far we have heard of some major companies and government organizations suffering cyberattacks involving the personal information of millions of people in South Africa.
Typically these cybersecurity incidents are shrouded in secrecy with the victims, the people whose data has been illegally accessed, hardly being notified or the affected companies or government organizations simply dismissing them as something not to worry too much about.
This is no different from Experian South Africa which recently claimed to be "a victim of a data incident" which the company said involved the "illegal obtaining of data" by someone impersonating one of their clients. This all sounds relatively excusable until you follow the events as they unfolded leading to the public disclosure of the Experian Data Breach.
How events unfolded at Experian South Africa
20 May 2020 - Experian South Africa allegedly hands over the data of 24 million South Africans and over 700,000 companies to what they say they thought was a legitimate client - Talis Holdings.
22 July 2020 - Experian apparently discovers that Talis Holdings has not paid it R2,212,919.99 for the data of South African individuals and companies it allegedly sent to the company’s director, Tebogo Mogashoa. The non-payment and alleged misrepresentation by an impersonator of a legitimate client, according to Experian, is now escalated to their global head office.
6 August 2020 - The Information Regulator (South Africa) received an e-mail from Experian requesting an urgent meeting to “discuss a matter.”
7 August 2020 - The Information Regulator meets with Experian where, according to the Information Regulator, Experian advised that it had experienced a breach. The Information Regulator advised Experian to report the breach in accordance with Section 22 of South Africa's Protection of Personal Information Act (POPIA).
13 August 2020 - Experian files an Anton Piller order in the High Court of South Africa, Gauteng Local Division against Karabo Phungula, and a company in which he is a director, Hi-Pixel Communications (Pty) Ltd.
14 August 2020 - Experian sends a report and a letter about the breach to the Information Regulator. In the letter, Experian advised the Information Regulator that they were a victim of a fraudulent misrepresentation that occurred in May 2020.
17 August 2020 - The Sheriff and other people accompanying execute the Anton Piller application and seize computers and smartphones at the addresses listed in the Anton Piller order.
19 August 2020 - South African Banking Risk Information Center (SABRIC) releases a press statement revealing the “Experian Data Breach.” Several South African banks release media statements making clients aware of the “data breach” experienced by a credit bureau, Experian. Several hours after the SABRIC press statement and media statements by South African banks, Experian sends out a statement to all media stating it has “curtailed a data incident” and has seized and deleted the data from the alleged perpetrator’s computers and phones.
1 September 2020 - The data is available on a publicly viewable website despite Experian saying it curtailed the data incident and deleted the data. After questions from iAfrikan.com to confirm that the data discovered is part of the data breach, Experian issues a media statement confirming that the data from the data breach is on the Internet.
3 September 2020 - Karabo Phungula, the man Experian claims to be the alleged perpetrator, tells iAfrikan.com that he believes he is being framed for a business relationship that went sour with Compuscan (Experian acquired Compuscan in 2019) in 2017. He claims he never requested nor received the data.
14 October 2020 - Experian is yet to contact the people and companies whose data was affected by the breach. Authorities have taken no action against Experian so far regarding the data breach. All that we have observed are media and public statements, but no concrete actions.
What should happen next?
Unfortunately, as things stand, The Information Regulator can't enforce any punitive measures against Experian South Africa. This is because POPIA is only fully enforceable on 1 July 2021.
Even if POPIA was fully enforceable, the largest financial penalty for Experian would likely be R10 million. That's nothing considering how much it sells personal and company data for and also considering how much identity theft and Business E-mail Scams cost individuals and businesses in South Africa.
There are several options that businesses and individuals can undertake regarding the Experian Data Breach.
In this episode of the Tech Legal Matters podcast, Lucien Pierce, an attorney in South Africa who specializes in Cyber Law including data protection and privacy, explains some of these legal options.
Added to these options, we at iAfrikan Media are also working on something regarding the Experian Data Breach which we should be in a position to publicly announce in the coming weeks.
In the meantime, stay alert, and stay safe on the web.
Data breaches and leaks have become a common occurrence in South Africa in both the public and private sectors. Here is a detailed breakdown of what transpired regarding the Experian Data Breach. (Tweet this)
Subcribe to our Daily Brief newsletterShare this via:
Insights and analysis into how business and technology impact Africa. We promise to leave you smarter and asking the right questions every time after you read it. Sent out every Monday to Friday.