Advertisement

No hacking needed: Someone duped Experian into handing over data in breach affecting 24 million South Africans

For fraudsters looking to swindle big corporations, sometimes it’s just a matter of asking.
Experian
Experian did not specify the data that had been stolen, but said it did not involve “credit or consumer financial information.” (Getty Images)

For fraudsters looking to swindle big corporations, sometimes it’s just a matter of asking.

Earlier this week, the South African division of credit reporting giant Experian revealed that someone posing as a client had tricked the firm into coughing up personal information on an untold amount of South African consumers.

The South African Banking Risk Information Centre (SABRIC), an association of banks focused on combating crime, put a number on the breach: up to 24 million people, and nearly 794,000 “business entities,” could be affected. Investigators have been working with banks to figure out which of their customers may have had their personal data exposed, according to SABRIC.

It’s a reminder of the reams of personal data that credit monitoring firms like Experian and Equifax are sitting on, and the high stakes those firms face in protecting it. A social engineering trick, or an unpatched software flaw, can open the door for a crook or spy to a trove of valuable data. A massive 2017 hack of Equifax, which the U.S. government blamed on Chinese military officers, compromised personal information on some 145 million Americans.

Advertisement

In the case of Experian South Africa, there wasn’t evidence that the stolen data had been used to defraud people, and the suspect’s computer was “impounded and the misappropriated data being secured and deleted,” the firm said.

Experian did not specify the data that had been stolen, but said it did not involve “credit or consumer financial information.” The firm downplayed what it called an “isolated incident” involving “the release of information which is provided in the ordinary course of business or which is publicly available.”

The perpetrator appeared to be looking for “marketing leads to offer insurance and credit-related services,” the firm’s statement continued. Experian South Africa CEO Ferdie Pieterse said that the fraudster already had some personal victim data in hand before approaching Experian for telephone numbers and addresses.

An Experian South Africa spokesperson did not respond to questions on how one person was able to fraudulently acquire so much data simply by posing as a client.

Cybercrime and financial fraud has been a persistent problem in South Africa. Eight people accused of stealing more than $134 million from a mutual bank were apprehended in June.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts