South Africa’s largest ever data breach has now been contained, says credit bureau Experian, which handed over the personal details of some 24 million people to an individual it now calls a fraudster.
But it is still not clear what happened between the end of May – when Experian handed over that data – and mid August, when that containment actually took place.
On Thursday Experian confirmed that what it terms “the release” took place on 24 May and 27 May.
That was when it handed over data including ID numbers, telephone numbers, and physical and e-mail addresses of more than 23 million individuals and nearly 800,000 businesses to someone who presented themselves as authorised to have that information. As of Thursday, South Africa’s largest banks are warning affected and potentially affected customers to exercise heightened vigilance, because that information could be used in identify theft attempts, or to convince people to hand over more information. For all of June, July, and the first two weeks of August, customers were not aware of that possibility, though, as Experian first sought to plug the leak. This week the company said it had secured the hardware the information had been stored on via an Anton Piller, a court order that allows for search and seizure without prior warning in order to preserve evidence in civil cases. “[W]e delayed publishing the incident due thereto that the Anton Piller is reliant on the element of surprise and we therefore could not make the incident public,” the company told Business Insider South Africa on Thursday.
Experian said it had detected the breach on 22 July – 57 days after handing over the data. “The fraud was detected once Experian struggled to contact the representative of the company on his mobile and then attempted to make contact on the company’s landline,” the company said in response to questions. “The actual person who was impersonated confirmed that he did not have any dealings with Experian.” It immediately started to investigate, Experian said, but needed “to ensure that we have the necessary evidence that is required to apply for the Anton Piller order.” It actually applied for that order on 13 August, 79 days after handing over the data. The order was fully executed by 18 August – 84 days after the breach. On Thursday Experian said it believes “that the incident has been contained”, after it seized hardware from the suspected fraudster and the data was “secured and deleted”. Asked why it believed the data had not been sold or otherwise passed on in three months, the company said: “We have been monitoring the various platforms (i.e. the dark web) to ascertain whether the data is being offered for sale. We also employed a leading digital forensic investigator to assist us with our efforts.
“Also, from our internal investigations we ascertained that the fraudster conducts an insurance and credit services market place and uses the information to contact consumers in order to offer services to consumers. “Due to the serious nature of the Anton Piller order, we are not permitted to share any details around this.”
The company also reiterated that it believes the breach was not that big a deal, as the “consumer information concerned was publicly available information”.