Frequently asked questions

Experian fraudulent data incident

Frequently Asked Questions

As our investigation continues, we will be constantly adding questions and answers as they manifest themselves in the development of this data incident.

The facts contained herein are to the best of our knowledge true and accurate. We will update this document as more facts transpire.

FOR CONSUMERS

Q. What type of information was shared with the fraudster?

We can confirm that no personal consumer credit, financial or banking information was shared. The data was limited to non-confidential contact information including telephone, email and physical address and employment information which includes place of work, title, start date and work contact details.

The table below outlines what information the fraudster provided Experian with and the information that Experian added to the file and provided back to the fraudster. 

 

Consumer Information

Information provided by the Fraudster to Experian

Information provided by Experian to the Fraudster

Name

Yes

Not provided by Experian

Surname/s

Yes

Not provided by Experian

RSA ID number

Yes

Not provided by Experian

Cellphone number/s

 

Provided where available

Home telephone number/s

 

Provided where available

Other telephone number/s

 

Provided where available

Work Phone/s

 

Provided where available

Email address/s

 

Provided where available

Address/s

 

Provided where available

Place of work, work address, title and start date

 

Provided where available

Note that while the name, surname and ID number is included in the data file, this data did not originate from Experian.

Experian did not provide the name, surname and identity number of the consumers. The perpetrator already had in his possession this data which was not provided by Experian and was sourced elsewhere. Experian provided the contact information and employment details as outlined in the table above.  

Q. Did Experian provide identity numbers on South African individuals?

Experian did not provide the Fraudster with identity details. The Fraudster provided Experian with 25,055,049 names, surnames and South African identity numbers which Experian verified. Experian appended the information described above (summarized as contact and employment details) to the data that was supplied by the Fraudster.  Experian also added a verification status on the ID.

Q. Did Experian provide credit data, credit scores or bank account details on individuals to the fraudster?

No, Experian did not provide any financial or credit-related information to the Fraudster. The consumer information shared on individuals contained contact details and employment information only (as described above).

Q. Have you notified the affected consumers?

We issued a media statement on 19 August (before which we contacted the regulators) and simultaneously updated our website with a notification on the data incident. We would advise any individual who has concerns about their data to check their credit report by visiting www.mycreditcheck.co.za, which they can do for free, for life. Consumers who request their free credit report through My Credit Check or My Credit Expert, will also automatically receive free SMS notifications on their cellphone when any credit enquiry is made on their credit report until 31 December 2023.  

Q. What is Experian doing to help the affected consumers?

We are providing consumers with unlimited free access to their credit report as well as, for those consumers who request their free credit report through My Credit Check or My Credit Expert, they will also receive  free SMS alerts when a credit enquiry is made on their credit report from now until 31 December 2023.

Please visit www.mycreditcheck.co.za where you can access your personal credit report for free, for life. If you have any questions or concerns, please email our Customer Care agents at za.consumercare@experian.com or contact us on 0861 51 41 31. 

FOR BUSINESSES

Q. What type of information was shared with the fraudster?

The business information that Experian shared consisted various fields including company registration details, general business information, company contact information and credit profile information. For 24,838 business entities, bank account numbers were also shared. 

We have included a summarized table below of the business information and data fields Experian provided back to the fraudster for your ease of understanding.

Business Information

Examples

Company registration details

Legal name, Alternative name, previous name, changed name, type of entity, company status, registration number

General business information

Holding company, Ultimate Holding company, principals, number of employees, premises, BEE (Yes/ No indicator), VAT Number/flag, Sicc information 

Company contact information

Telephone, Postal address, street address, province, branches, email, fax

Credit information

Score, Judgements (Yes/ No indicator), Last JU Date, Liquidations, Adverse references (Yes/ No indicator), Enquiry amount, Enquiry terms, turnover range

Banking information

Bank code, Bankers, Branch, Bank Account numbers shared on 24, 838 business entities

Other information

Kim number, Report date, Import/ Export, R/D Cheque, Auditor, NCA (Yes/ No Indicator)

Q. Have you notified the affected businesses?

We issued a media statement on 19 August and simultaneously updated our website with a notification on the data incident.

We also engaged the affected banks to assist with monitoring for any abnormal activity as well as to inform the impacted business entities.

We would advise any business who has concerns about their data to contact Experian on 0861 3973 7426 or email ServiceDeskSouthAfrica@experian.com.

Q. What is Experian doing to help the affected businesses?

We are providing affected businesses with a copy of their business credit report for 6 months as well as free business alerts . The free Business Alerts provide immediate notifications if there is any event or change on their company profile held on the Experian database, including CIPC updates.  The complimentary Business Alerts service will be provided to you until 31 December 2023.

To activate these Business Alerts and receive access to your Business Credit Report, please email ServiceDeskSouthAfrica@experian.com

GENERAL

Q. Was Experian hacked?

No. Experian South Africa has been the victim of fraud in which the perpetrator, pretending to be a legitimate client, made a fraudulent data inquiry. We have introduced additional authentication controls to prevent this type of incident from occurring again.

Q. When exactly did the fraud occur?

The information was shared on the 24 and 27 May 2020. Experian became aware of the fraud on 22 July 2020.

Immediately upon discovering the incident Experian investigated the matter, then proceeded to notify the regulators and affected banks. We instituted an Anton Piller application which delayed publishing the incident due thereto that the Anton Piller is reliant on the element of surprise and we therefore could not make the incident public. The execution of the Anton Piller order was completed on Tuesday, 18 August. Experian issued a media statement on Wednesday, 19 August.

Q. What caused the delay between the date the fraud took place and the public notification?

Experian SA followed-up with the purported client for bills outstanding on 30-day terms and when no payment was forthcoming entered into a recovery process. Experian SA subsequently conducted further checks and at the point determined that the transaction was fraudulent. Experian immediately initiated an internal investigation and shortly thereafter informed the necessary authorities as well as the banks.

Our investigations pointed to a suspect which enabled us to consider all appropriate legal action, including the Anton Piller application. We thus undertook to obtain and execute a successful Anton Piller order in order to impound hardware that we were able to locate and ensure that the data on such hardware was secured and deleted. By nature of the Anton Piller application, it required extreme secrecy as the element of surprise is crucial in executing the order. We therefore could not disclose the incident prior to the execution of the Anton Piller order, the execution of which was successfully completed on Tuesday 18 August.

Q. Why did Experian only inform the Regulators of the data theft in August when the theft occurred in May?

Experian only became aware of the fraud on 22 July 2020. Experian SA followed-up with the person they thought was the client for bills outstanding on 30-day terms and when no payment was forthcoming entered into a recovery process. Experian SA subsequently conducted further checks and at that point determined that the transaction was fraudulent. Experian immediately initiated an internal investigation and shortly thereafter, between 4 August and 7 August, informed the National Credit Regulator, the Information Regulator and the affected banks.

Q. How did the fraud actually happen?

The fraudster impersonated a director of a known company and preceded to procure services from Experian as a client.  The data was shared with the purported client utilising Experian’s secure data transfer protocols.

Q. Can anybody buy data from you?

No. Depending on the type of data, a requestor of data must provide a reason for requesting the data.  The Purported Client provided Experian with a valid data access reason given the nature of his purported business and the data was released based on the reason provided.

Q. How was the information provided to the fraudster?

The data was shared with the purported client utilising Experian’s secure data transfer protocols. No data was shared via email or on any external devices.

Q. Did the fraudster use a thumbnail drive?

No. The fraudster did not use a thumbnail drive or USB flash drive.

Q. Was the data used or compromised?

We have been monitoring and continue to monitor the various platforms (including the dark web) to ascertain whether the data is being offered for sale. Our ongoing investigations identified files which we subsequently confirmed contained Experian data relating to the incident on the internet. We can confirm that our Global Security teams have removed these files from the Internet site where it was uploaded to and continue to monitor the internet for further activity.

Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes and it appears that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.

Q. What is Experian doing to ensure this incident will not occur again?

Immediate additional controls and safeguards have been introduced to prevent this type of fraud from occurring again. We have reviewed our onboarding process and have introduced additional controls to verify and authenticate who we deal with. Our newly designed processes will be subject to an external audit by an independent external auditor.

Q. Which authorities have you notified?

Upon discovering the incident, we notified the National Credit Regulator, the Information Regulator and the banks. We have also been engaged with BASA, SABRIC and the prudential authority at the SARB.

Q. Where are you with the legal and criminal process?

We have completed the interim Anton Piller order. We have laid criminal charges against the individual and are working with the HAWKS to bring this criminal to justice. 

Q. Could this have compromised information of individuals from other markets?

No. This fraud incident is limited to information held in South Africa and does not go beyond.

Q. What processes and protocols does Experian have in place to protect consumer data and privacy?

Privacy is at the heart of what we do and the way we work. We strictly comply with data access laws in all the countries we operate in. We make continuous year-over-year investments in data security policies, practices, technology, software, culture and staffing to stay ahead of the criminal hackers that attempt to exploit our systems. Specifically, Experian has substantially added to its cybersecurity arsenal to address prevention, detection and mitigation. Following this incident, we have further built our organizational structures and have further enhanced our control environment.

 

DATA INCIDENT DEVELOPMENTS

Q. Was the data used or compromised?

Since Experian South Africa became aware of the fraud on 22 July 2020, our Global security team have monitoring various platforms (including the dark web) to ascertain whether the data is being offered for sale. To-date, our Global Security teams have not as yet observed the data being for sale on the internet and at this point there is no indication that any misappropriated data has been used for fraudulent purposes.

Additionally, various internal investigations were also launched to ascertain what the perpetrator intends to do with the data. Our investigations indicate that the perpetrator intended to use the data, or make it available for use, for marketing services including offering insurance and credit products to consumers.

On 1 September our ongoing investigation identified files which we subsequently confirmed contained Experian data relating to the incident reported in the media on 19 August on the internet via a restricted file sharing site. We notified the Information Regulator and NCR of this and published a statement.

Our Global Security team immediately engaged the third-party site and confirmed that these files can no longer be accessed via the private file sharing site that they were uploaded to. Experian Global Security Operations Centre continues to investigate any additional sources of the dataset online and continues to monitor the internet for further activity. Our global security teams have confirmed that they still have not as yet observed the data being for sale on the internet and at this point there is still no indication that this data has been used for fraudulent purposes. 

Q. Are the files you identified on the internet the same files that were fraudulently acquired? How long where they publicly available?

We can confirm that the identified files uploaded to the internet contained Experian data relating to the incident reported in the media on 19 August. It is difficult to determine how long the data was made available through the restricted link , however upon learning of its availability, our Global Security teams immediately engaged the third-party site and confirmed that these files can no longer be accessed via the private file sharing site that they were uploaded to and continue to monitor the internet for further activity.

Q. How were the files uploaded on the internet subsequent to the Anton Piller being executed?

The Anton Piller allows for the perpetrator’s hardware that we were able to locate being impounded and the data relating to specific Experian key words on such hardware being secured and deleted.

If the perpetrator had other devices that was not at the premises or other cloud accounts, then there is a possibility that the data could have been uploaded from those devices or cloud accounts.

Q. Who uploaded the files on the internet?

The identity of the individual who posted the files on the restricted file sharing site is not known and we are working with our investigators to confirm this.  While there are media articles claiming that the data was placed there by an individual outside of South Africa, those assertions are not substantiated and there is no evidence of that. Our Global Security team engaged the third-party site and confirmed that these files can no longer be accessed via the private file sharing site that they were uploaded to. Experian Global Security Operations Centre continues to investigate any additional sources of the dataset online and continues to monitor the internet for further activity.

Q. Was the information that was uploaded to the internet obtained by potential fraudsters?

Our investigation is ongoing; however, our Global Security teams have not as yet observed the data being for sale on the internet and at this point there is no indication that any misappropriated data has been used for fraudulent purposes.

Our Global Security team immediately engaged the third-party site and confirmed that these files can no longer be accessed via the private file sharing site that they were uploaded to. Experian Global Security Operations Centre continues to investigate any additional sources of the dataset online and continues to monitor the internet for further activity.

Q. Did Experian suffer a cyber-attack?

Experian South Africa did not suffer a cyber-attack. We can confirm that Experian South Africa’s bureau infrastructure, systems and database were not and have not been compromised at any point.

Q. Why did Experian issue public assurances that the stolen information had been secured when in fact it had not been?

On 19 August, Experian confirmed that it had identified the suspect and was successful in obtaining and executing an Anton Piller order which resulted in the individual’s hardware that we were able to locate being impounded and the data relating to specific Experian key words on such hardware secured and deleted. This announcement was based on the information at our disposal at that stage and was made in good faith. At that point, we were not aware of any further copies of the data.

Since Experian became aware of the fraud on 22 July 2020, our Global Security teams have been monitoring various platforms (including the dark web) to ascertain whether the data was being offered for sale. To-date, our Global Security teams have not as yet observed the data being for sale on the internet and at this point there is no indication that any misappropriated data has been used for fraudulent purposes. Additionally, various internal investigations were also launched to ascertain what the perpetrator intends to do with the data. Our investigations indicate that the perpetrator intended to use the data, or make it available for use, for marketing services including offering insurance and credit products to consumers.

The Anton Piller order permitted devices found at the premises of the fraudster to be searched for certain key words and if they contained such words, forensic copies of the relevant files could be made and the data deleted from the devices of the fraudster. The data that matched the keywords was indeed deleted from the fraudster's devices that had been found.

 Q. Has the data being found elsewhere on the internet? 

We continue to investigate any additional sources of the dataset online and continue to monitor the internet for further activity. On 06 October, an expert technical team from one of our key clients advised us of a file available on a private file sharing site through a unique data access link. The link lead to a download site which required the user to have a specialised application to extract the file. Once the extraction was complete, the various files needed to be reviewed first in order to find the data in-question. None of the file names included reference to Experian. On 06 October, we submitted a take-down notice and the expert technical team also continued with efforts to remove the file from the data sharing site. On 13 October, the expert technical team confirmed that the files were removed. At this point in time, we do not believe the files to be available online. We remain on high alert and continue our monitoring efforts. We continue to pursue the suspect through all civil and law enforcement means at our disposal.

 

LEGAL AND CRIMINAL PROCESS

Q. Which authorities have you notified?

Upon discovering the incident, we notified the National Credit Regulator, the Information Regulator and the banks. We have also been engaged with BASA, SABRIC and the prudential authority at the SARB.

Q. Which authorities are investigating the incident?

We are working closely with all relevant authorities, including the Information Regulator, The National Credit Regulator and Law enforcement (SAPS and HAWKS), to help bring the suspect to justice and ensure data protection for all South Africans.

Q. Where are you with the legal and criminal process?

We have completed the interim Anton Piller order. We have notified the HAWKS of the incident and are actively pursuing a criminal case against the individual. The criminal affidavit was provided to the HAWKS on 26 August and on 27 August 2020. A case number has been issued and a prosecutor has been assigned to the case. We continue to work with the HAWKS to bring the suspect to justice.

Q. Why did it take Experian three months to open a criminal case with the police when the data theft occurred in May?

The information was erroneously shared with the fraudster (purporting to represent a legitimate company) on 24 and 27 May 2020. Experian only became aware of the fraud on 22 July 2020.

Experian SA followed-up with the person they thought was the client for bills outstanding on 30-day terms and when no payment was forthcoming entered into a recovery process. Experian SA subsequently conducted further checks and at that point determined that the transaction was fraudulent. Experian immediately initiated an internal investigation and shortly thereafter, between 4 August and 7 August, informed the National Credit Regulator, the Information Regulator and the affected banks.

Our investigations pointed to a potential suspect which enabled us to consider all appropriate legal action, including the Anton Piller application. We thus undertook to obtain and execute the Anton Piller order in order to impound hardware that we were able to locate and ensure that the data on such hardware was secured and deleted. An Anton Piller application is designed to secure evidence that would otherwise be destroyed if the person in possession of the evidence is given notice of the application.  It was therefore not possible to disclose the incident to the public prior to the execution of the Anton Piller order, the execution of which was successfully completed on Tuesday 18 August. On 20 August we received the digital forensic expert’s draft scene report of the Anton Piller order’s execution, with the Anton Piller’s supervising attorney’s affidavit (including the forensic investigator’s report) received on 24 August, which we relied on to open the criminal case. It is however noteworthy that from the moment we had a suspect in mind, through our digital forensic experts, we communicated with law enforcement.

Q. How can you be certain that you have identified the suspect?

The proof required to be granted an Anton Piller execution in the Gauteng High Court is extremely stringent and onerous. Experian South Africa was successful in obtaining and executing an Anton Piller order against the suspect which resulted in the individual’s hardware that we were able to locate being impounded and the data relating to specific Experian key words on such hardware secured and deleted. We can confirm that data containing the key words (which refers to Experian and the data) of the Anton Piller order was found on the hardware that was seized.

It is significant that the respondent to the Anton Piller application has not opposed the application, as was his right, if he believed that the order was wrongly granted or executed by Experian.

We can confirm that a criminal case was opened by Experian South Africa and the criminal process is now in the hands of law enforcement.

Q. The identity of the suspected perpetrator has been referenced in multiple media reports. He claims that he is being framed by Experian, that the framing is around a deal he had with Compuscan in 2017 and that Experian, which acquired Compuscan in 2019, is now pursuing him for money he allegedly owed Compuscan for data he acquired from that company. Is this true?

Experian have not had prior dealings with the suspected perpetrator however Experian acquired a business in 2019 (Compuscan) who had a once off client-relationship with the suspected perpetrator in 2017. The suspected perpetrator contracted with Compuscan for services, however failed to pay for the services due to a dispute regarding the services that was rendered (claiming he did not receive the services, which he confirmed in an affidvait). The relationship was terminated, and a legal process commenced. To confirm there are no ongoing disputes with the suspected perpetrator regarding outstanding payments.  Following legal advice in 2017, Compuscan decided not to further pursue the case against the suspected perpetrator for payment outstanding.

We can confirm that neither Experian nor Compuscan is pursuing litigation against the suspected fraudster for the payment of monies he allegedly owed Compuscan.

We can confirm that the suspected perpetrator has never done any business with Experian using his legitimate identity and his own company name.

The suspect, assuming the identity of another person and using sophisticated social engineering, purported to represent a legitimate company (not his own) and fraudulently requested services from Experian in May 2020. He impersonated a legitimate director and misrepresented a legitimate known company in the onboarding of a new client with Experian South Africa.

 

PREVENTION MEASURES AND DATA PROTECTION 

Q. What is Experian doing to ensure this incident will not occur again?

Immediate additional controls and safeguards have been introduced to prevent this type of fraud from occurring again. We have reviewed our onboarding process and have introduced additional and enhanced controls to verify and authenticate who we deal with. Our newly designed processes will be subject to an external audit by an independent external auditor. Additionally, Experian has conducted a full risk assessment and root case analysis to further strengthen the appropriate processes and organizational measures in place to prevent unlawful access to information held by Experian. The remedial actions have been implemented and further refinement to the control environment is also taking place.

Q. Could this have compromised information of individuals from other markets?

No. This fraud incident is limited to information held in South Africa and does not go beyond.

Q. What processes and protocols does Experian have in place to protect consumer data and privacy?

Privacy is at the heart of what we do and the way we work. We make continuous year-over-year investments in data security policies, practices, technology, software, culture and staffing to stay ahead of the criminal hackers that attempt to exploit our systems. Specifically, Experian has substantially added to its cybersecurity arsenal to address prevention, detection and mitigation. Following this incident, we have further built our organizational structures and have further enhanced our control environment.

Q. Is Experian POPI compliant and if not why?  When will Experian be compliant?

Experian’s POPIA Act implementation has been underway since 2018, and Experian is on track to have POPIA fully implemented by June 2021. Experian has and will continue to implement certain operational and compliance changes in order to comply with the requirements of POPIA. These will apply to both consumer and business information.