The Information Regulator (IR) has expressed shock that Experian customer data was recently leaked on Telegram, in what appears to be a continuation of the data breach the credit bureau experienced last year,
Experian made headlines in August 2020, after it experienced a data breach that exposed the personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster.
One month later, it emerged that some data from the credit bureau was compromised and subsequently leaked on the internet.
In another incident, attempts were made to sell the leaked data on a dark web marketplace that was not generally available to the public. The regulator says it was informed this was removed shortly after being discovered.
According to a statement issued by the information watchdog, it says it learned, on 24 October 2021, that customer data was compromised in a third incident, when the personal information of people whose data had been part of the Experian data breach was placed on the Telegram messaging application over the weekend.
The IR notes it was alerted by a whistleblower that some of the data subjects whose personal information was leaked on Telegram include private individuals, business leaders, prosecutors, judges, ministers, politicians and senior public officials.
The database containing this personal information was downloaded over a 100 times before Telegram removed the page with the link to the database, it notes.
“The regulator is deeply concerned that personal information that had been illegally accessed in 2020 remains accessible contrary to assurances to the regulator that the personal information had been removed from platforms where it had been dumped in 2020,” says IR chairperson advocate Pansy Tlakula.
“Telegram took the right decision by removing the page with the link from its platform; however this came late because the database with the personal information of data subjects had already been downloaded more than 100 times. This means this data is still available in the public domain. Given the massive amount of data that was illegally obtained from Experian in 2020, and the evidence that this data remains in various platforms, contrary to assurances that had been given to us, it is clear that we have not seen the last incident of this type of exposure of people's personal information.”
In a letter sent to the regulator on 24 October 2021, Experian stated that in response to this latest violation of data subjects’ privacy rights, the credit bureau submitted a take-down notice request to Telegram and also informed law enforcement agencies.
“Experian has reported to the regulator that it has instructed its lawyers to request the mobile operator to suspend the cellphone account of the user that dumped the data and made it publicly accessible on the messaging platform. According to Experian, the identity of the person who has illegally disclosed the personal information of data subjects without their consent is unknown,” says the IR.
Tlakula has warned the public not to access or share the link provided via Telegram.
“We urge members of the public to exercise caution when coming across the link that supposedly contains a database with details of millions of South Africans. It could well be that the link is a Trojan horse for other malware.
“We further appeal to members of the public that get sent the link to the messaging app not to distribute it any further. By doing so, they would be perpetuating the commission of a crime in terms of our laws regulating the protection of personal information and laws on cyber crimes.”
Stronger action to be taken
At the time of last year’s breach, the South African Banking Risk Information Centre and the Southern African Fraud Prevention Service confirmed the leak was reported to law enforcement. They said they were working with Experian and the appropriate regulatory authorities to seek a resolution.
SA’s big banks, which have a relationship with Experian, told ITWeb at the time that they were proactively taking risk-mitigation steps to protect customers from any damage that might result from the breach.
In September 2021, the Hawks Serious Commercial Crime Investigation unit announced in a statement that it had arrested a 36-year-old suspect in Gauteng for his alleged involvement in the Experian data breach.
According to the IR, an independent investigation commissioned after the incident found Experian had entered into a commercial engagement with a person misrepresenting themselves as a director of a legitimate company.
The perpetrator provided Experian SA with over 25 million names, surnames and South African identity numbers, which Experian SA verified.
The data shared by Experian SA was limited to contact information for the persons contained in the data set provided by the perpetrator, including telephone, e-mail and physical address and employment data, which includes place of work, title, start date and work contact details, adds the IR.
No personal consumer credit, financial or banking information was shared by Experian SA.
The perpetrator also provided Experian SA with approximately 790 000 businesses names, addresses and registration numbers; however, Experian SA did not provide the perpetrator with any identity details.
The business information Experian SA shared in return consisted of company registration details, general business information, company contact information and credit profile information. For 24 838 business entities, bank account numbers were also shared.
“The regulator has a responsibility to the data subjects and the public, and we will not hesitate to take strong action should we find evidence of continued activity that compromises the security of personal information of any person,” Tlakula concludes.