Experian South Africa discloses data breach impacting 24 million customers

Experian said the attacker was identified and its data deleted from the fraudster's devices.

Experian

Image: chunleizhao, Experian

Security

Cyber security 101: Protect your privacy from hackers, spies, and the government

Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.

Read More

The South African branch of consumer credit reporting agency Experian disclosed a data breach on Wednesday.

The credit agency admitted to handing over the personal details of its South African customers to a fraudster posing as a client.

While Experian did not disclose the number of impacted users, a report from South African Banking Risk Centre (SABRIC), an anti-fraud and banking non-profit, claimed the breach impacted 24 million South Africans and 793,749 local businesses.

Experian said it reported the incident to local authorities, which were able to track down the individual behind the incident. Since then, Experian said it obtained a court order, "which resulted in the individual's hardware being impounded and the misappropriated data being secured and deleted."

Experian said that none of the data has been used for fraudulent purposes before being deleted and that the fraudster did not compromise its infrastructure, systems, or customer database.

"Our investigations indicate that an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian," the agency said in a statement.

"Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services."

According to Experian, only personal information was exposed in the incident, and no financial or credit-related information was involved.

The credit reporting agency described the shared data as "information which is provided in the ordinary course of business or which is publicly available."

Nonetheless, the data was deemed personal enough for South African privacy regulators to open a case in regards to the incident.