Picture: 123RF/WELCOMIA
Picture: 123RF/WELCOMIA

Experian Africa expects the suspect responsible for a data breach that exposed the personal information of as many as 23.4-million South Africans will be arrested and charged as early as Friday, the company says.

The hack is also said to have exposed 800,000 businesses, according to the SA Banking Risk Information Centre, a nonprofit organisation set up by the major lenders to combat bank-related organised crime.

Experian collects credit data about clients from banks and other businesses. SA has the third-highest number of cybercrime victims in the world with about R2.2bn lost each year through fraudulent activities carried out via the internet, according to professional services company Accenture.

The lockdown imposed by the government to help curb the Covid-19 pandemic may have increased  the prevalence of cybercrimes as more consumers moved onto digital platforms to bank and shop.

“Since Tuesday, when we executed the search and seizure operation to obtain his devices and hardware, we have continued to build our criminal case and as soon as we lay charges tomorrow [Friday] the directorate for serious criminal offences will go and apprehend the suspect,” says Experian Africa CEO Ferdie Pieterse.

Experian’s external cyber forensic investigation company has begun deleting all of the information on the suspect’s devices under the supervision of the sheriff of the court, he said. The team declined to disclose whether any information on the devices has been used or moved.

Pieterse said Experian’s cyber forensic and crime unit based in the UK and US has found no evidence of the data being sold on either the “dark web” or the normal internet.

He described the suspect as a “fairly smart cybercriminal” who used sophisticated techniques to fraudulently misrepresent himself as the director of a legitimate local financial services company, beginning in May.

“He had the ID number of the director of the company and all the company information. He had created a fake website of the company complete with e-mail addresses for clerical and administrative staff. Due to the lockdown, we did not go and visit him at his place of business,” Pieterse said.

The impostor provided 25-million ID numbers, along with first names and surnames, and wanted Experian to provide additional consumer information, including landline and cellphone numbers, home addresses and where possible, places of work.

This is commonly referred to as information for marketing leads and did not involve the disclosure of bank account details or credit bureau information. Experian was able to provide additional information on 23.4-million accounts.

While this appears harmless, the information can be used to acquire more information that can ultimately be dangerous, says FNB executive Christoph Nieuwoudt. “The contact information can be used by criminals to pretend that they are you or they can send you phishing attacks that actually solicit further information from you in order to launch an attack on you,” he said.

The suspect also wanted to “clean up” his own database of 793,749 company records which included company names, registration numbers and dates of incorporation.

“In the process of providing information, we mistakenly provided bank account numbers for 24,838 companies. This was spread across 26 banks, with 98% of the accounts held with the big five banks. That was an internal control failure,” Pieterse said.

Experian is taking disciplinary action against the employees concerned, the company said.

The Reserve Bank said it has been in discussions with all of the banks involved to assess the consequences of the breach for customers and to limit the likelihood that it may lead to fraud and financial loss. “At this stage, we do not consider this data breach to have a systemic impact on the financial sector, though we are monitoring the situation closely,” it said in a statement on Thursday.

The information regulator, which is responsible for implementing the Protection of Personal Information Act says SA is experiencing a high number of data breaches. “In the last four months the Regulator has recorded twenty-five (25) data breaches, nineteen (19) of which were self-reported,” it said in a statement on Thursday.


Would you like to comment on this article or view other readers' comments?
Register (it’s quick and free) or sign in now.

Speech Bubbles

Please read our Comment Policy before commenting.