Experian, the world’s largest credit bureau, leaked data belonging to 24 million South Africans and close to 800,000 businesses, the South African Banking Risk Information Centre said. The data breach occurred after a suspected fraudster approached the firm posing as a representative of a legitimate client. Experian credit reports are based on consumers’ borrowing and repayment habits, making the data invaluable to lenders such as banks and car dealerships. The firm, however, denied that any credit or consumer financial information was obtained. South African privacy regulators has opened a case to investigate the circumstances surrounding the breach.
Details of the Experian data breach
Experian said it notified law enforcement immediately after the data breach occurred. The officers confiscated the suspect’s hardware after executing an Anton Piller order, and the data was deleted. The credit bureau said that the data was never used for any fraudulent activities and that the suspect did not compromise any of its infrastructure, systems, or customer database. The company disclosed that the suspect intended to generate marketing leads for insurance and credit-related services.
Experian insisted that only personal information was compromised, and that “no financial or credit-related information was involved.” The firm also added that the information exposed in the data breach was publicly available and “provided in the ordinary course of business.” However, Standard Bank, one of South Africans’ major banks, said its clients’ demographic information was leaked in the Experian data breach. The bank requested its customers to secure their accounts by changing passwords as a precautionary measure.
The South African privacy regulators also took up the matter and launched an investigation into the data breach. Experian also said it was pursuing legal avenues to address the issue.
While no financial information was leaked in the Experian data breach, handing over consumers’ personal information to unauthorized third-parties exposes them to phishing attacks. Criminals could use the information to impersonate legitimate financial institutions and trick users into disclosing their account information through telephone calls or email phishing scams. Such forms of attacks succeed because many consumers are oblivious of the tactics employed by fraudsters to extort sensitive information from them.
Saryu Nayyar, Gurucul’s CEO, says that although fraud and malware are related, they require different security measures.
“Experian is in the headlines again for suffering a major cyberattack. As a consumer credit reporting company, they are clearly a high-value target for cybercriminals. Likely the company has an array of cybersecurity protections in place to prevent data breaches. Social Engineering, however, is a different animal. In this case, an individual fraudulently claimed to represent a client and gained access to Experian services. This person then made off with 24 million South African’s PII as well as information from 800,000 businesses. Fraud is malware’s ugly cousin. You need different controls to detect and catch social engineering and fraudulent behavior because fraud isn’t code. Fraud isn’t a malware application. People commit it.”
Mitigating the risks associated with the Experian data breach
The Southern African Fraud Preventions Services (SAFPS) advised South Africans to apply for a free identity protection service after suspecting that their identities were compromised. The service alerts SAFPS members, which includes banks and credit providers, that the customer’s identity has been compromised and that additional care should be taken to verify that they are transacting with the legitimate identity holder.
Dean Ferrando, Systems Engineer Manager – EMEA at Tripwire, advises affected customers to change their passwords, highlighting the gravity of identity theft.
“For those affected by this breach, I would strongly recommend they change their passwords and security information. Identity theft is just as worse as an attacker draining one’s bank account.”