Since 2015, we have been studying and reporting on data breaches, and have discovered some concerning trends. On top of our alert list is the Experian data breach.
August 2020, the South African subsidiary of Experian, an Irish-domiciled global consumer credit reporting company suffered a data breach which exposed personal data of 24 million South Africans and 793,749 businesses.
At iAfrikan Media, one of the first things that drew our attention was the public disclosure of the Experian SA data breach in August. Typically, the entity that suffered breach, would be the first to publicly declare it when a data breach occurs. In this instance, the South African Banking Risk Information Center (SABRIC) was the entity that disclosed the breach.
July 2020, with growing public anger over personal data breaches and unanswered media questions. Experian SA learns that Talis Holdings has not paid it an outstanding amount of R2,212,919.99 for data on South African citizens and companies it allegedly sent to the company’s director, Tebogo Mogashoa. This outstanding payment, exposed how an impersonator took advantage of such and masqueraded as a real client and gained access to the breached data. The impersonator was later identified as Karabo Phungula.
Karabo Phungula was found guilty of the Experian data breach in October 2022. illegally acquiring South African citizens' personal information with the intent to sell it to a third party. With sentencing scheduled in March at the Palm Ridge court, Karabo Phungula failed to appear in court for sentencing, forcing the court to forfeit his R3 000 bail.
News of Karabo Phungula's sentencing proceedings was slowly making its way into our newsroom while this article was being written. The Palm Ridge Business Crimes Court issued a 15-year prison term on March 29, 2023, about 14:00.
Breached Data
Several weeks later after Experian SA had assured the public and stakeholders that it had contained and secured the breached data, on 1 September 2020, iAfrikan’s Incident Response Team, discovered a leaked data set on a publicly viewable website. As a way to verify, we asked Experian SA if they could confirm that the data we found on the internet matched the data from their data breach, they verified and confirmed this.
The data set came in two different types. Namely that containing details on approximately 24 million individuals in South Africa, and another containing data about 700,000 businesses incorporated in South Africa.
The data set of 24 million individuals in South Africa included the following field names for each individual:
The data set of over 700,000 businesses incorporated in South Africa as
found in the leaked Experian SA data files included the following field
names for each business.
Lessons learned from the Experian SA data breach
There are many lessons to be learned from the Experian SA data breach. The first of which keeps with the trend of how iAfrikan has researched and observed how the majority of data breaches in South Africa occur through negligence and insufficient data protection measures.
When talking to Experian SA and through our research of their internal processes, Experian SA has admitted to only verifying the identity of the “client” via an online name check on the CIPC website. No other checks appear to have been performed and no verification was done to confirm that the person applying to be a customer (to have data enriched) via a GMail account was indeed who they said they were.
This calls Experian SA's internal processes into question. This is also a lesson for their clients to regularly validate that the processes they claim to follow are followed in their day-to-day business operations.
The other lesson is around the risk associated with the type of systems that Experian SA uses to communicate and transfer data to customers. With phishing continuously on the rise, the verification of customers has to happen by other means beyond e-mail only. Added to this, although SFTP is
relatively secure for transferring data, this is all futile if passwords are communicated in plain text via e-mail to customers whose identity has not been properly verified.