The massive data breach of an information services agency threatened to expose the personal details of as many as 24 million South Africans and 793,749 businesses.
A suspected fraudster managed to breach information from Experian, a consumer, business and credit information services agency. The news emerged on Wednesday.
By Thursday, Experian said the suspect had been identified, the hardware and data secured and deleted thanks to an Anton Piller order, and that law enforcement is working with the company.
Experian found the fraudster posed as a legitimate client requesting services from them.
“We can confirm that no consumer credit or consumer financial information was obtained. Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes.
“Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services,” Experian said in a statement.
The breach has been reported, and banks are working with Experian and the South African Banking Risk Information Centre (Sabric) to identify which customers have been affected by the breach.
Experian is one of the largest credit bureaus in the country. The information from credit bureaus is used to assess the status of customers when they apply for credit, and is shared, with consent, with other credit bureaus.
It assured clients that the South African bureau’s infrastructure, systems and database have not been compromised.
Sabric CEO Nischal Mewalall explained that a breach like this does create opportunities for criminals to impersonate those exposed, but “does not guarantee access to your banking profile or accounts”.
However, he warned that criminals could use customers’ information to trick them into disclosing confidential banking details.
Clients warned to be vigilant
First National Bank (FNB) has advised customers to be “extra vigilant” and to follow recommended security precautions. The bank is working with Sabric and the Banking Association of South Africa to mitigate potential risks facing customers.
Customers who have been affected by the breach will be contacted by FNB directly.
Absa bank assured it has put necessary precautionary measures in place to protect customers, and will contact them directly should any suspicious activity be detected.
Clients are urged to contact the fraud hotline on 0860 557 557 should they pick up any unusual activity.
The bank warned that criminals will attempt to deceive unsuspecting customers into disclosing passwords, online pins, card pins, card CVV numbers, one-time pins and/or authentication messages.
“Fraudsters might also try to influence consumers’ rational thinking by causing excitement, distress and urgency,” they said.
Standard Bank confirmed it is investigating the data breach in which some of their clients’ demographic information was provided to a third party posing as Experian.
The bank said it has “proactively stepped up” its authentication process, fraud prevention and detection strategies, but could not divulge more details.
They advised that their clients change banking passwords on social media and digital banking platforms, and that personal clients register for DigiMe on the Standard Bank application. Clients are urged to register with MyUpdates, so that they can be notified of any transactions over R100.
What to do if you think your data has been breached
Those who suspect their identity has been compromised should apply for free identity protection with the Southern African Fraud Preventions Services (SAFPS), which provides “additional care” when confirming transactions, and alerts banks and credit providers that your identity may have been compromised.
SAFPS CEO Manie van Schalkwyk strongly advised to keep identity information safe and secure at all times, “because once it is compromised, it can be used by anybody, often to impersonate you”.
“Think of your identity information in the same way as you think of cash”, she added.
Here are some useful tips to keep your identity safe:
- Never disclose personal information to anyone via telephone, text or email;
- Change your passwords regularly, and do not share them with anyone;
- Only verify requests for personal information when there is a legitimate reason to do so;
- Follow your bank’s recommended security precautions for online banking.
If you think your data has been breached, email SAFPS at firstname.lastname@example.org, or SMS the word “Protectid” to 43366. For more information, visit the SAFPS website.
Experian Africa CEO Ferdie Pieterse apologised profusely for the inconvenience, and advised that anyone with concerns should check their credit report regularly. This can be accessed here.
(Compiled by Nica Richards)