Consumer data leaked from Experian last year still being shared

Data leaked from Experian last year is still around in what appears to be a continuation of the data breach at the consumer, business and credit data company in August 2020.

Now the personal information of some of the people was shared on messaging application Telegram on Sunday, according to the Information Regulator.

A whistleblower alerted the Information Regulator that the database with the personal information of some of data subjects was downloaded more than a hundred times before Telegram removed the page with the link to the database.

Experian had a data breach last year that “exposed some personal information of as many as 24 million South Africans and 793,749 business entities to a suspected fraudster” the South African Banking Risk Information Centre (Sabric) said at the time.

ALSO READ: Hawks arrest suspect for massive Experian data breach

Information regulator’s investigation

According to the Information Regulator, its independent investigation found that Experian entered into a commercial engagement with someone pretending to be the director of a legitimate company to verify the names, surnames and South African identity numbers of 25,055,049 people.

Experian then shared data limited to contact information for the people in the data set, including telephone, email and physical addresses and employment data, which included place of work, title, start date and work contact details. It did not contain personal consumer credit, financial or banking information.

The person also submitted about 790,000 businesses names, addresses and registration numbers and Experian shared company registration details, general business information, company contact information and credit profile information with him and shared the bank account numbers of 24,838 of them.

ALSO READ: Experian data breach case ‘now in the hands of law enforcement’

Information regulator shocked

Advocate Pansy Tlakula, chairperson of the Information Regulator, said she was shocked to hear that some of the personal information has again been made available for downloading without the consent of the data subjects.

She said Experian stated in a letter to her last Sunday that it submitted a take-down notice request to Telegram and also informed law-enforcement agencies as part of its response to this latest violation of privacy rights.

Experian also instructed its lawyers to request the mobile operator to suspend the cell phone account of the user who dumped the data and made it publicly accessible. The identity of the person who illegally disclosed the personal information of data subjects without their consent is unknown.

ALSO READ: Fraudster who breached personal details of 24m South Africans has been found

Information Regulator warns public

Tlakula has warned the public against accessing the link on Telegram.

“We urge members of the public to exercise caution when coming across the link that supposedly contains a database with details of millions of South Africans. It could well be that the link is a trojan horse for other malware.

“We further appeal to members of the public who receive the link not to distribute it any further as they will be perpetuating the commission of a crime in terms of laws regulating the protection of personal information and laws on cybercrimes,” she said.

The Information Regulator is “deeply concerned” that personal information that had been illegally accessed in 2020 remains accessible contrary to assurances that the personal information was removed from platforms where it was dumped in 2020.

The regulator’s investigation found that some of this data appeared online twice, once on a publicly viewable file-sharing site and the second time on a dark web marketplace.

The regulator was informed that the data was removed after it was reported to the owners of the file-sharing site and it was not generally available to the public on the dark web before being removed.

ALSO READ: Email, phone scamsters among biggest buyers of illegally obtained data – expert

Data removed from Telegram and DarkWeb

“Telegram took the right decision to remove the page with the link from its platform. However, this came late because the database with the personal information of data subjects had already been downloaded more than a hundred times, which means the data is still available in the public domain.

“Given the massive amount of data and the evidence that this data remains on various platforms, contrary to assurances we received, it is clear that we have not seen the last incident of this type of exposure of people’s personal information.

“The regulator has a responsibility to the data subjects and the public. We will not hesitate to take strong action should we find evidence of continued activity that compromises the security of personal information of anyone,” Tlakula said.

ALSO READ: Experian data leak: how to avoid being caught by scammers

What Experian says

An Experian spokesperson said on Friday that the company is aware of messages sent to a limited group of people on social media messaging platforms on 24 October 2021. It is related to last year’s data incident.

“We immediately informed law enforcement and the appropriate regulatory bodies on Sunday and supported them in their investigations while also carrying out our own. Before noon on 26 October 2021, those files were deleted and removed from the messaging platform.

“Our global security teams remain vigilant and continue to monitor the internet as the possibility exists for further posting of this data and we will deal with it as quickly as is possible. We remain committed to supporting people and businesses in South Africa by continuing to offer free credit enquiry alerts until the end of December 2023 and other support services free of charge until February 2022.”