Experian breach affects over 24 million customers and businesses in South Africa

Posted on Aug 21, 2020 by Caleb Chen
Experian breach affects over 24 million customers and businesses in South Africa

Consumer credit reporting agency Experian has suffered a data breach at their South African branch. The Experian data breach didn’t expose consumer credit or financial information, but other personal information which could be used in phishing attempts were definitely exposed. Experian noted in a statement that they fell victim to a social engineering attack where the attacker claimed to be a client and successfully received the information with a simple request. The statement detailed:

“Our investigations indicate that an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian. […] Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.”

While this credit reporting agency breach isn’t as bad as the now infamous Equifax breach which included social security numbers of over 143 million individuals, this Experian breach is still a blow to the privacy of users and a stark reminder of the inordinate amount of seemingly undeserving trust we are forced to place in agencies like Equifax and Experian. In fact, Experian also suffered a data breach which revealed social security numbers back in 2015.

24 million customers and nearly 800,000 businesses affected in Experian data breach

The credit agency did not state how many people were affected. Despite this, the South African Banking Risk Information Center (SABRIC) released their own report which reports the breach numbers at 24 million customers and 793,749 businesses. Following the data breach, Experian reported the incident to local authorities who were able to track down the attacker that had done the defrauding. Additionally, Experian obtained a court order from local authorities “which resulted in the individual’s hardware being impounded and the misappropriated data being secured and deleted.”

Experian publically claims that the attacker didn’t breach any infrastructure, computer systems, or customer databases but the fact remains that the agency gave up this information and there’s really no way to know that it wasn’t shared, or hasn’t been exfiltrated in a similar manner before. Experian further maintains that this data breach wasn’t a big deal because the data sent to the attacker was “information which is provided in the ordinary course of business or which is publicly available.” If that sounds like a backtracking, blame shifting statement, that’s because it is. Good thing that South African privacy regulators aren’t buying it, and have opened a case to investigate this Experian data breach.