Experian only informed Information Regulator months after hack

Admire Moyo
By Admire Moyo
Johannesburg, 21 Aug 2020
Advocate Pansy Tlakula, chairperson of the Information Regulator
Advocate Pansy Tlakula, chairperson of the Information Regulator

The Information Regulator is concerned about the hacking of credit bureau Experian, which occurred less than two months after the commencement of the Protection of Personal Information (POPI) Act.

This week, Experian, a consumer, business and credit information services agency, confirmed it experienced a data breach which exposed the personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster.

In a statement to ITWeb, advocate Pansy Tlakula, chairperson of the Information Regulator, says: “The Information Regulator is concerned about the alleged security breach experienced by Experian South Africa which has compromised personal information of reportedly 24 million South Africans.”

The fundamental part of the POPI Act is that during the process of collecting personal information, organisations must provide the requisite reasons for obtaining the data and importantly ensure it’s shared with only authorised individuals.

At the moment, Experian is still not liable to the POPI Act, as organisations have till 1 July 2021 to meet the Act’s various obligations.

When the POPI Act is in force, businesses that don't comply, regardless of whether it’s intentional or accidental, can face severe penalties. The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.

‘Fraudulent misrepresentation victim’

According to Tlakula, the regulator became aware of the breach on 6 August, when Experian sent an e-mail requesting an urgent meeting to “discuss a matter”.

She adds that on 7 August, the regulator met with Experian where it was advised that a breach was experienced.

The regulator advised Experian to report the breach in accordance with Section 22 of the POPI Act.

Tlakula adds that Experian sent a report to the regulator on 14 August in which it advised the regulator that it was a victim of “a fraudulent misrepresentation” that occurred in May.

However, she says the regulator cannot disclose the contents of the report to the public because it does not want to jeopardise the investigation of a criminal case which Experian says it intends to report to the South African Police Service.

“In general, the report details, amongst others, how the fraudulent activity was committed, the steps that have been taken to investigate the fraud and to mitigate its effects. POPIA places an obligation on a responsible party (Experian) to notify the regulator and the data subject (owner of data) of a security compromise where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, unless the identity of such data subject cannot be established,” Tlakula says.

She notes the notification must be made as soon as reasonably possible after the security compromise was discovered, taking into account law enforcement processes, measures that have to be taken to determine the scope of the compromise and measures that must be taken to restore the integrity of the compromised system.

The notification must be made in writing and provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, she adds.

“The responsible party must provide the data subject with a description of the possible consequences of the security compromise, outline measures that the responsible party intends to take or has taken to address the security compromise, make a recommendation as to how a data subject can mitigate the effect of the security compromise and disclose if the responsible party is aware of the identity of the unauthorised person who may have accessed or acquired the personal information.”

According to Tlakula, Experian has not informed the regulator whether it has notified the affected data subjects of the security compromise or not, and has not fully complied with the notification requirements stipulated in the POPI Act and the regulator will follow up in this regard.

She points out that since its establishment in 2016, the regulator has been urging all public or private bodies which process personal information to ensure they comply fully with the POPI Act.

“Credit bureaus are private bodies and would be classified as responsible parties in terms of POPIA. They are obliged to comply with the eight conditions for the lawful processing of personal information.”

For example, Tlakula explains, credit bureaus can only process personal information if consent from a data subject is obtained, if information is collected directly from the data subject, and if such information is collected for a specific purpose.

“They must secure the integrity and confidentiality of personal information in its possession or under its control. They must take reasonable, technical and organisational measures to prevent loss or damage or unlawful access to personal information in its possession and under its control.”

Meanwhile, Experian is continuing to investigate the incident. “Our investigations indicate that an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian. The services involved the release of information which is provided in the ordinary course of business or which is publicly available,” says the credit bureau.

“Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.

“We have identified the suspect and confirm that Experian South Africa was successful in obtaining and executing an Anton Piller order, which resulted in the individual’s hardware being impounded and the misappropriated data being secured and deleted. We are continuing the legal process in this regard, including coordination with law enforcement and relevant authorities.”

Anna Collard, MD of KnowBe4 Africa, comments: “Although the suspect has been identified and the data had been deleted, we urge you to be extra vigilant.

“This event shows how valuable our personal information is. Criminals sell and use this information to commit identity theft and open up accounts or order goods in their victim’s names. It also helps them building personalised scams meant to trick victims into downloading malicious software or disclosing confidential data, such as banking PINs or passwords.”