Experian Security Breach in South Africa
By Kayla Deruiter on October 22, 2020
Executive Summary:
Experian is a well-known company for analyzing and processing data to help other companies prevent identity fraud and crime. Some of their services include managing credit risk and credit reporting, which involve a lot of consumer personal information (About Experian 2020). On August 19, the South African Banking Risk Centre (SABRIC) announced that Experian had a data breach, exposing millions of consumers’ personal information. Experian states that it was not a hack, but a client who fraudulently requested services back in May 2020 (Cimpanu 2020). Regardless, personal information was leaked such as; addresses, ID numbers, names, and occupations. As of September 2, 2020 Experian continues investigation on the leak.
Open Source Intelligence (OSINT) Details:
Experian disclosed the data breach on August 19, 2020 by admitting that they handed over personal information of their South African customers to a fraudulent client. The estimated people who were affected by this breach in South Africa is about 24 million individuals and around 793,000 local businesses (Cimpanu 2020). According to Experian, they identified the individual who was posing as a client and obtained a warrant to confiscate that individual’s hardware and the data is being “secured and deleted” (Cimpanu 2020). Experian reports that none of the data was used for malicious purposes and the infrastructure and companies systems has not been altered or compromised. The company states, “Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.” They mention that only personal information was leaked that could be found publicly, but not financial information of customers (Cimpanu 2020).
Being a big company, the incident was reported to National Credit Regulator, the Information Regulator, and other major stakeholders which is part of protocol when there is a data breach (Burger-Smidt 2020). The incident happened in May 2020, but was not reported until July 2020, which leaves customers doubtful and unprepared for what other breaches could come. According to the article by BBrief, this is the one of the four major data breaches in South Africa of this year alone, and the financial impact of data breaches hit companies hard (Burger-Smidt 2020). Research shows that the cost of breaches are rising and no matter how hard a company tries to mitigate the threat a breach occurs, and most likely by insider threats, intentionally and unintentionally. Since the incident, South African banks are providing tips to customers on how to keep themselves safe from identity theft and other cyber-attacks.
Potential Impacts:
According to an article on Fortunly about statistics on data breaches, the cost of cyberattacks within the banking industry is approximately $18.3 million a year per company reported for 2020 (Dautovic 2020). In response to the rising cost of data breaches, companies are spending large amounts on security measures to mitigate attacks. Not only are the financial losses huge when a financial company has a data breach, but it also loses trust from customers, which could result in customers withdrawing from Experian services. Back in 2015, Experian was hacked, exposing the data of 15 million Americans who were customers of T-Mobile, and in a result of that cyberattack, Experian offered free credit monitoring services to those affected (Thielman 2020). Possibly the same thing will happen for the South Africa data breach, so that customers can feel safer knowing that they can track their data.
Significance:
It is inevitable for large financial companies such as Experian, Equifax, etc to get hacked for information and financial gain. There is no 100% way to ensure that an individual’s information does not get leaked or compromised, but there are things customers and companies can do to mitigate the chances, such as; installing up to date security software, train employees on possible attacks, and monitor data to catch any suspicious activity and patch it before the breach increases. Knowing about the data breach could motivate the affected individuals and the company to be more aware and prepared for incidents like this to happen, and to alter security measures to have less of an impact. In this instance there was no malicious activity with the data, but when there is it could result in the loss of a lot of money.
Sources:
About Experian. (2020). Retrieved September 15, 2020, from https://www.experian.com/corporate/about-experian
Burger-Smidt, A., By, -, Burger-Smidthttp://www.werksmans.com/, A., Burger-Smidt, A., & Here, P. (2020, September 13). Massive data breach in SA – did Experian do enough? Retrieved September 15, 2020, from https://www.bbrief.co.za/2020/09/09/massive-data-breach-in-sa-did-experian-do-enough/
Cimpanu, C. (2020, August 19). Experian South Africa discloses data breach impacting 24 million customers. Retrieved September 15, 2020, from https://www.zdnet.com/article/experian-south-africa-discloses-data-breach-impacting-24-million-customers/
Dautovic, G. (2020, May 04). 25 Financial Data Breach Statistics (2020 Update). Retrieved September 15, 2020, from https://fortunly.com/statistics/data-breach-statistics
Thielman, S. (2015, October 02). Experian hack exposes 15 million people’s personal information. Retrieved September 15, 2020, from https://www.theguardian.com/business/2015/oct/01/experian-hack-t-mobile-credit-checks-personal-information