No hacking needed: Someone duped Experian into handing over data in breach affecting 24 million South Africans

Experian did not specify the data that had been stolen, but said it did not involve “credit or consumer financial information.” (Getty Images)


Written by

For fraudsters looking to swindle big corporations, sometimes it’s just a matter of asking.

Earlier this week, the South African division of credit reporting giant Experian revealed that someone posing as a client had tricked the firm into coughing up personal information on an untold amount of South African consumers.

The South African Banking Risk Information Centre (SABRIC), an association of banks focused on combating crime, put a number on the breach: up to 24 million people, and nearly 794,000 “business entities,” could be affected. Investigators have been working with banks to figure out which of their customers may have had their personal data exposed, according to SABRIC.

It’s a reminder of the reams of personal data that credit monitoring firms like Experian and Equifax are sitting on, and the high stakes those firms face in protecting it. A social engineering trick, or an unpatched software flaw, can open the door for a crook or spy to a trove of valuable data. A massive 2017 hack of Equifax, which the U.S. government blamed on Chinese military officers, compromised personal information on some 145 million Americans.

In the case of Experian South Africa, there wasn’t evidence that the stolen data had been used to defraud people, and the suspect’s computer was “impounded and the misappropriated data being secured and deleted,” the firm said.

Experian did not specify the data that had been stolen, but said it did not involve “credit or consumer financial information.” The firm downplayed what it called an “isolated incident” involving “the release of information which is provided in the ordinary course of business or which is publicly available.”

The perpetrator appeared to be looking for “marketing leads to offer insurance and credit-related services,” the firm’s statement continued. Experian South Africa CEO Ferdie Pieterse said that the fraudster already had some personal victim data in hand before approaching Experian for telephone numbers and addresses.

An Experian South Africa spokesperson did not respond to questions on how one person was able to fraudulently acquire so much data simply by posing as a client.

Cybercrime and financial fraud has been a persistent problem in South Africa. Eight people accused of stealing more than $134 million from a mutual bank were apprehended in June.

-In this Story-

credit monitoring, Experian, financial, fraud, personally identifiable information (PII), Social engineering, South Africa