The South African Banking Risk Centre (SABRIC) has warned that a major data breach at Experian has exposed the personal information of as many as 24 million South Africans and nearly 793,749 business entities to a suspected fraudster.
Experian is a consumer, business, and credit information services agency, whose major clients include several South African banks.
Experian has confirmed that the breach was reported to law enforcement and the appropriate regulatory authorities, SABRIC stated.
“Banks have been working with Experian and SABRIC to identify which of their customers may have been exposed to the breach and to protect their personal information, even as the investigation unfolds.”
“Banks and SABRIC have also been cooperating with Experian in their efforts to secure the data and ensure the perpetrators are brought to book,” SABRIC said.
SABRIC said that banks will communicate with their customers about how they may be affected by the breach and what is being done to protect them.
The organisation did not indicate exactly which banks or what personal information was exposed in the breach.
SABRIC CEO Nischal Mewalall noted that although the compromise of personal information does not guarantee access to a victim’s banking profile or accounts.
“However, criminals can use this information to trick you into disclosing your confidential banking details,” Mewalall cautioned.
Advice for suspected victims
SABRIC advised persons who suspect that their identities have been compromised to immediately apply for a free Protective Registration listing with Southern Africa Fraud Prevention Service (SAFPS).
“This service alerts SAFPS members, which includes banks and credit providers, that your identity has been compromised and that additional care needs to be taken to confirm that they are transacting with the legitimate identity holder,” SABRIC said.
Consumers wanting to apply for a Protective Registration can contact SAFPS at email@example.com.
It also recommended that bank customers follow precautionary measures, including:
- Do not disclose personal information such as passwords and PINs when asked to do so by anyone via telephone, fax, text messages or even email.
- Change your passwords regularly and never share them with anyone else.
- Verify all requests for personal information and only provide it when there is a legitimate reason to do so.
- For further advice, please see www.sabric.co.za.
SABRIC and SAFPS urged bank customers and other consumers to follow sound identity management practices to mitigate the risk of impersonation and fraudulent applications in their name.
“Think of your identity information in the same way as you think of cash,” SAFPS CEO Manie van Schalkwyk advised.
“Keep it safe and secure at all times, because once it is compromised, it can be used by anybody, often to impersonate you,” he added.
Update – Experian statement
Experian South Africa has released a statement regarding the data breach, assuring customers that no financial data was compromised.
“Our investigations indicate that an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian,” the company said.
“The services involved the release of information which is provided in the ordinary course of business or which is publicly available.”
“We can confirm that no consumer credit or consumer financial information was obtained. Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes.”
It added that its investigations show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.
“We have identified the suspect and confirm that Experian South Africa was successful in obtaining and executing an Anton Piller order which resulted in the individual’s hardware being impounded and the misappropriated data being secured and deleted.”
“We are continuing the legal process in this regard, including coordination with law enforcement and relevant authorities,” it said.
Experian South Africa notified the National Credit Regulator and the Information Regulator of the incident, adding that its infrastructure, systems, and database have not been compromised.
“As a precaution, we advise anyone who may have concerns to regularly check their credit report,” it said.
“You can do this by visiting www.mycreditcheck.co.za where you can access your personal credit report for free, for life.”