Despite assertions that it had curtailed a data incident, credit bureau Experian South Africa has now confirmed that the leaked data — which exposed the personal information of around 24 million South Africans — has ended up on the internet.
In August, the company revealed that it had shared its data on South African consumers and businesses with a scammer.
No ad to show here.
The data contained the personal information of up to 24 million South Africans and 793 749 businesses.
In its media statement on the incident last month, Experian said that it had “curtailed” the data incident.
However, the data showing up on the internet means that the incident was not contained.
“As a part of this investigation, we have identified files which we believe contain Experian data relating to the incident on the internet,” the company said in a statement on 1 September.
“We continue to investigate these files and will take all steps available to us to reduce further dissemination if possible.”
The leaked information is reportedly no longer accessible online. However, this means the data is out in the wild.
If past cybersecurity incidents are any indication, it’s likely that the data will show up elsewhere online again.
Experian whistleblower informs Information Regulator
Last week, the Information Regulator of South Africa released a followup statement on the incident. The statement said that a whistleblower had informed the body of the data appearing on the web.
“The whistleblower has informed the regulator that the information of natural persons that is hosted on the dark web includes their cell numbers, home and work phone numbers, employment details and identity numbers,” the statement said according to TimesLive.
“The regulator is extremely disturbed about the information that it has received from the whistleblower, particularly because during the meeting which it held with Experian last week, its chief executive officer Mr Ferdie Pieterse assured the regulator that Experian had obtained an Anton Piller order and managed to execute the order in terms of which the personal information of data subjects was appropriately secured.”
According to the statement, Experian confirmed its investigation into data found on the web after the regulator approached it with the whistleblower’s information.
Experian later confirmed that the data matched the information leaked to the scammer.
The company also told the regulator that it found the data on a third-party data-sharing website, not the dark web.
While no financial information leaked, cybercriminals can use personal data to target and scam victims.
Cybercriminals can also use data such as ID numbers for identity theft.
Consumers should stay vigilant during this time. Be wary of any suspicious emails from unknown senders or credit offers.
Feature image: rupixen.com on Unsplash