Experian Breach in South Africa Affects 24 Million ConsumersData on 800,000 Businesses Also Exposed
A data breach affecting the South African branch of credit reporting company Experian exposed information on an estimated 24 million consumers and almost 800,000 businesses, according to the South African Banking Risk Information Center , a nonprofit financial crime risk information center. But Experian says no consumer credit or financial information was exposed.
Experian South Africa did not say when the data breach occurred or how someone gained access to the data.
"We have identified the suspect and confirm that Experian South Africa was successful in obtaining and executing a [court] order, which resulted in the individual's hardware being impounded and the misappropriated data being secured and deleted," the bank says in a customer notification statement.
The company did not say what agency impounded the equipment or if the suspect is in custody.
"Our investigations indicate that an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian,” the company says. “The services involved the release of information which is provided in the ordinary course of business or which is publicly available.”
The statement adds: “We can confirm that no consumer credit or consumer financial information was obtained. Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes. Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.”
The company did not reveal the type of personal and business information that was exposed.
South African Banking Risk Information Center says it’s working with Experian South Africa to identify the customers affected by the breach.
Meanwhile, Experian says it’s working on the investigation with local law enforcement along with the National Credit Regulator, Banking Association of South Africa, SABRIC and the prudential authority at the South African Reserve Bank.
Based on Experian’s statement, Dean Ferrando, a systems engineer manager at the security firm Tripwire, says the attacker may have used a business email compromise scam.
"BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees," Ferrando tells Information Security Media Group.
Experian's Earlier Breach
In 2015, the credit score company suffered a breach when one of its servers that stored personal information for some 15 million T-Mobile customers was hacked.
Experian said it discovered that "an unauthorized party" accessed its systems, exposing data collected from September 2013 to September 2015 (see:Experian Hack Slams T-Mobile Customers).