Information for consumers

Experian fraudulent data incident

NOTIFICATION OF UNAUTHORISED ACCESS OF PERSONAL INFORMATION ON CONSUMERS, IN TERMS OF SECTION 22 OF THE PROTECTION OF PERSONAL INFORMATION ACT, 4 OF 2013:

On 22 July 2020 Experian become aware of an isolated incident involving a third party obtaining personal information on South African legal entities and consumers on 24 and 27 May 2020.

Experian followed-up with the purported client for bills outstanding on 30-day terms and when no payment was forthcoming entered into a recovery process. Experian subsequently conducted further checks and at the point determined that the transaction was fraudulent. Experian immediately initiated an internal investigation and shortly thereafter informed the necessary authorities as well as the banks.

Our investigations pointed to a potential suspect which enabled us to consider all appropriate legal action, including the Anton Piller application. We thus undertook to obtain and execute the Anton Piller order in order to impound hardware that we were able to locate and ensure that the data relating to specific Experian key words on such hardware was secured and deleted. An Anton Piller application is designed to secure evidence that would otherwise be destroyed if the person in possession of the evidence is given notice of the application.  It was therefore not possible to disclose the incident to the public prior to the execution of the Anton Piller order, the execution of which was successfully completed on Tuesday 18 August. We then proceeded to provide notification via our website and a public media statement on 19 August 2020.

Description of the consequences of the Incident

The table below outlines what information the fraudster provided Experian with and the information that Experian provided back to the fraudster.

Consumer Information

Information provided by the Fraudster to Experian

Information provided by Experian to the Fraudster

Name

Yes

Not provided by Experian

Surname/s

Yes

Not provided by Experian

RSA ID number

Yes

Not provided by Experian

ID Verification Flag

 

Provided where available

Cellphone number/s

 

Provided where available

Home telephone number/s

 

Provided where available

Other telephone number/s

 

Provided where available

Work Phone/s

 

Provided where available

Email address/s

 

Provided where available

Address/s

 

Provided where available

Place of work, work address, title and start date

 

Provided where available

Our investigations do not indicate that the misappropriated data has been used for fraudulent purposes (i.e. identity theft) and it appears that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services. While it is our understanding that the data released on individuals are not typically used to perform identity theft, we advise that consumers remain vigilant to ensure they do not fall victims of social engineering or identity theft.

 

Advice or recommended measures that be taken by the data subject to mitigate the possible adverse effects of the unauthorized data access

We recommend that individuals remain vigilant and regularly view their credit profile. This can be obtained free of charge once a year from any one of the registered credit bureaus.

You can review your Experian credit report by visiting www.mycreditcheck.co.za where you can access your personal credit report for free, for life. Consumers who request their free credit report through My Credit Check or My Credit Expert, will also automatically receive free SMS notifications on their cellphone when any credit enquiry is made on their credit report until 31 December 2023.  

You can further consider registering for protective registration at the South African Fraud Prevention Services (https://www.safps.org.za/Home/OurServices_ApplyProtectiveRegistration) which will place a fraud alert on your credit report, that informs creditors of possible fraudulent activity within your report and requests that the creditor contact you prior to establishing any accounts in your name.

For guidance on how to protect yourself against identity theft as well as the steps on what to do if you’re the victim of identity fraud click here.

If you are the victim of actual or suspected identity theft, please contact your local law enforcement.

 

Description of what Experian has done to address the incident

Experian can confirm that the appropriate technical and organisational measures against any further unlawful or unauthorised processing of personal information have been implemented. These include   improving its onboarding of new clients’ process through the implementation of additional verification and authentication controls including verifying information with non-public third-party sources. Experian has furthermore conducted a risk assessment as well as a compliance review and remedial actions were immediately put in place. These controls are further being enhanced and we confirm that we will audit the effectiveness of these controls through an independent auditor. 

Experian South Africa was successful in obtaining and executing an Anton Piller order. The Anton Piller allows for the perpetrator’s hardware that we were able to locate being impounded and the data relating to specific Experian key words on such hardware being secured and deleted. We are continuing the legal process in this regard, including coordination with law enforcement and relevant authorities.

We can confirm that a criminal case was opened in South Africa and the matter is now in the hands of law enforcement. We continue to co-operate with law enforcement by supporting their investigation and providing them with the necessary information as requested to bring the suspect to justice.

Since Experian became aware of the fraud on 22 July 2020, our Global Security teams have been monitoring various platforms (including the dark web) to ascertain whether the data was being offered for sale. We also employed a leading digital forensic investigator to assist us with our efforts. To-date, our Global Security teams have not as yet observed the data being for sale on the internet and at this point there is no indication that any misappropriated data has been used for fraudulent purposes.

On 1 September our ongoing investigation identified files which we subsequently confirmed contained Experian data relating to the incident reported in the media on 19 August on the internet via a restricted file sharing site. We notified the Information Regulator and NCR of this and published a statement.

Our Global Security team immediately engaged the third-party site and confirmed that these files can no longer be accessed via the private file sharing site that they were uploaded to. Experian Global Security Operations Centre continues to investigate any additional sources of the dataset online and continues to monitor the internet for further activity. Our global security teams have confirmed that they still have not as yet observed the data being for sale on the internet and at this point there is still no indication that this data has been used for fraudulent purposes.

We continue to investigate this incident with a full team of experts, working closely with law enforcement agencies and the Regulators, such as the Information Regulator and the National Creditor Regulator.

 

Identity of the person who has accessed the data

Experian believes it has identified the suspect, who is an adult South African male. The suspect operates a business in the direct marketing services industry in South Africa. Due to the potential impact on the criminal case, we are not permitted to disclose the identity of the suspect until such a time as law enforcement agencies think that it is appropriate to do so.

 

Indicate how a data subject, who did not receive such notification, can verify if his/her/its personal information was also compromised

In order to determine whether your personal information was compromised, please email za.consumercare@experian.com .

Once again, we apologise for the unauthorised disclosure arising from this incident.

Our priority remains on supporting consumers and businesses in South Africa. We have updated the Experian South Africa website with a frequently asked questions document for your reference https://www.experian.co.za/fraudulent-data-incident/faqs

 

Contact Us

Should you have any immediate queries please email za.consumercare@experian.com or contact us on 0861 51 41 31  between 08:00 – 17:00 Mondays to Fridays or visit https://www.experian.co.za/fraudulent-data-incident for further information.

 

Contact information of the South African National Credit Regulator should you require any credit information related further assistance:

Website:                      http://www.ncr.org.za

Postal Address:          P O Box 209, Halfway House, 1685

Street Address:          127-15th Road, Randjespark, Midrand, JOHANNESBURG, 1685

Phone:                         011 554 2600 or 086 062 7627

 

Contact information of the South African Information Regulator should you require any further assistance:

Attention:                     Adv Kelaotswe

Physical address:       33 Hoofd Street; Forum III 3rd Floor Braampark, Braamfontein, Johannesburg

Postal Address:          P.O Box 31533, Braamfontein, Johannesburg, 2017

Tel:                               +27 (0) 10 023 5200,

Email:                           enquiries@inforegulator.org.za

Website:                       https://www.justice.gov.za/inforeg/

View your credit report

Free, for life.

Email

Email our customer care agents at za.consumercare@experian.com