The South African branch of Experian has confirmed that a threat actor stole company data affecting 24 million customers.
Leading consumer credit reporting agency Experian is in news again for another data breach. Reportedly, on Wednesday, a fraudster contacted the agency posing as a representative of a ‘legitimate client’ and obtained personal details of its South African customers.
The company notes that it is an ‘isolated incident in South Africa involving a fraudulent data inquiry.’ The fraudster asked for services requiring them to share private information. The information Experian shared is usually publicly available, claims the company.
Moreover, Experian confirmed that credit-related details or financial data, the bureau’s systems, databases, and digital infrastructure were not compromised.
Experian South Africa identified the suspect and successfully obtained an Anton Piller order to impound the fraudster’s hardware and delete the ‘misappropriated’ data. The agency believes that the suspect wanted to use the data for creating marketing leads to offer credit or insurance services.
Experian Africa’s CEO, Ferdie Pieterse, issued a statement apologizing to the public for the unfortunate incident.
“I would like to apologize for the inconvenience caused to any affected parties. Our first priority is to help and support consumers and businesses in South Africa,” Pieterse stated in a consumer notification.
The number of affected users is still kept under wraps by Experian. However, a non-profit anti-fraud and banking agency South African Banking Risk Centre (SABRIC) reports that this incident could impact nearly 24 million Experian customers and 793,749 local businesses.
Experian downplaying the impact?
The number of “could be” victims shared by SABRIC indicates that Experian is trying to play down the extent of damage or the cruciality of the incident by not revealing the number of affected users or businesses and claiming that the stolen data was shared in the “ordinary course of business.”
The company only claimed that financial data was not shared but didn’t specify the type of data they handed over to the fraudster.
Experian intends to continue the legal procedure and collaborate with the law enforcement authorities in the investigation. They have already informed the National Credit Regulator and the Information Regulator regarding the data breach. Moreover, the company is in contact with other relevant authorities, including BASA, SARB, and SABRIC.
Nischal Mewalall, CEO at SABRIC, believes that criminals can use personal details to conduct identity theft or trick unsuspecting users into revealing confidential financial data. Perhaps the company is still recovering from the haunting memories of the 2015 data breach.
Not for the first time:
This however is not the first time when the data of Experian customers is at risk. Previously, on several occasions, the company had similar incidents including one leading to a T-Mobile customer data breach. In another incident, a hacker was claiming to sell millions of Experian accounts on the dark web.