Hours after Experian found data of millions of South Africans on the internet, the credit records company said on Thursday that it has located and shut down the server that stored the data.
The files were located on a secure “third-party, data-sharing site” on the internet from a site hosted in Switzerland. The administrators of the website have disabled the links and the data has been removed, the SA information regulator said in a statement.
Experian announced in August that it had mistakenly handed over data to a suspected fraudster involving the personal information of as many as 24-million South Africans.
Global cybersecurity company Kaspersky says such leaks “are not rare” as, most of the time, as is the case with Experian, breaches are a factor of human error.
“We can neither confirm nor deny the fact that the data from the Experian’s databases is on the internet, as at the moment we are not seeing any noticeable circulations of such information or its active distribution,” said Dmitry Galov, security researcher with Kaspersky in Moscow.
SA’s information regulator is tasked with ensuring the integrity of the public’s personal information and will oversee the implementation of the amended Protection of Personal Information Act, which comes into effect in July 2021.
The regulator says it will be conducting an independent review of what happened at Experian to “assess the extent of the data breach”, as well as to ensure all personal information is “appropriately protected”. It says Experian has committed to co-operate.
It will bring the data breach to the attention of its counterpart in Switzerland, the Federal Data Protection and Information Commissioner, as the breach involves a cross-border flow of personal information.
Experian’s international cyber and forensic teams have been monitoring the internet, including the deep and dark web, for any indications that the information the company mistakenly provided to an individual misrepresenting himself has been disseminated or distributed online.
Experian told Business Day in August that the individual — who has been charged and had all his devices confiscated under an Anton Piller order (which order, granted by a court, gives a successful applicant the right to search and seize devices in the possession of people suspected of stealing information) — fraudulently misrepresented himself as an established financial services executive using a fake ID and a fake website.
In the first leg of the engagement, he provided Experian with about 25-million matching ID numbers, names and surnames, and asked Experian for supplementary marketing information including e-mail addresses, cellphone numbers, home and work phone numbers and physical addresses, where available.
Experian was able to provide additional information on 23.4-million individuals.
While this appears to be benign information, the banks have warned that, in the wrong hands, the information can be used to phish and extract further information from consumers, including sensitive financial and banking details.
Or, “the stolen information might be exploited to trick bank employees into thinking they are dealing with a customer”, says Kaspersky.
The second part of the engagement involved the fraudster wanting Experian to validate or test his database of 793,749 company records, which included company names, registration numbers and dates of incorporation. It was in the process of doing this that Experian mistakenly provided the bank account numbers for 24,838 companies.
Experian shared the information on May 24 and 27, and became aware of the fraud on July 22. Experian executed an Anton Piller order on August 18.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.