We will continue to add questions and answers as they manifest themselves related to the data incident that occurred in 2020.
The facts contained herein are to the best of our knowledge true and accurate. We will update this document as more facts transpire.
QUESTIONS RECENTLY UPDATED ON 27 OCTOBER 2021
Q. Has the data been found elsewhere on the internet?
On Sunday 24 October 2021, we became aware of messages sent to a limited group of people on social media messaging platforms. They related to last year’s data incident and is not a new data incident. We immediately informed law enforcement and the appropriate regulatory bodies on Sunday and supported them in their investigations while also carrying out our own. Before noon on Tuesday, 26 October 2021, those files were deleted and removed from the messaging platform. Our Global security teams remain vigilant and continue to monitor the internet as the possibility exists for further posting of this data and we will deal with any posts as quickly as is possible. We remain committed to supporting people and businesses in South Africa by continuing to offer free credit enquiry alerts until the end of December 2023 and other support services free of charge until February 2022.
We advise concerned consumers to monitor their free credit reports at www.mycreditcheck.co.za, and businesses to request their free business credit reports by emailing ServiceDeskSouthAfrica@experian.com.
Once they have received their credit report, they will automatically receive free SMS alerts when a credit enquiry is made on their credit report from now until 31 December 2023.
To assist consumers in monitoring their personal information online, Experian has brought My Identity Check to South Africa. My Identity Check allows consumers to monitor the dark web for their personal information. This service is free until 1 February 2022. To find out more, visit: https://www.experian.co.za/consumer/myidentitycheck
Consumers can also contact our Customer Care agents at za.consumercare@experian.com or on 0861 51 41 31 with any questions or concerns they may have.
Q. What type of information was shared with the fraudster?
We can confirm that no personal consumer credit, financial or banking information was shared. The data was limited to non-confidential contact information including telephone, email and physical address and employment information which includes place of work, title, start date and work contact details.
The table below outlines what information the fraudster provided Experian with and the information that Experian added to the file and provided back to the fraudster.
Consumer Information |
Information provided by the Fraudster to Experian |
Information provided by Experian to the Fraudster |
|---|---|---|
Name |
Yes |
Not provided by Experian |
Surname/s |
Yes |
Not provided by Experian |
RSA ID number |
Yes |
Not provided by Experian |
Cellphone number/s |
|
Provided where available |
Home telephone number/s |
|
Provided where available |
Other telephone number/s |
|
Provided where available |
Work Phone/s |
|
Provided where available |
Email address/s |
|
Provided where available |
Address/s |
|
Provided where available |
Place of work, work address, title and start date |
|
Provided where available |
Note that while the name, surname and ID number is included in the data file, this data did not originate from Experian.
Experian did not provide the name, surname and identity number of the consumers. The perpetrator already had in his possession this data which was not provided by Experian and was sourced elsewhere. Experian provided the contact information and employment details as outlined in the table above.
Q. Did Experian provide identity numbers on South African individuals?
Experian did not provide the Fraudster with identity details. The Fraudster provided Experian with 25,055,049 names, surnames and South African identity numbers which Experian verified. Experian appended the information described above (summarized as contact and employment details) to the data that was supplied by the Fraudster. Experian also added a verification status on the ID.
Q. Did Experian provide credit data, credit scores or bank account details on individuals to the fraudster?
No, Experian did not provide any financial or credit-related information to the Fraudster. The consumer information shared on individuals contained contact details and employment information only (as described above).
Q. Have you notified the affected consumers?
We issued a media statement on 19 August 2020 (before which we contacted the regulators) and simultaneously updated our website with a notification on the data incident. We would advise any individual who has concerns about their data to check their credit report by visiting www.mycreditcheck.co.za, which they can do for free. Consumers who request their free credit report through My Credit Check or My Credit Expert, will also automatically receive free SMS notifications on their cellphone when any credit enquiry is made on their credit report until 31 December 2023.
Q. What is Experian doing to help the affected consumers?
We are providing consumers with unlimited free access to their credit report as well as, for those consumers who request their free credit report through My Credit Check or My Credit Expert, they will also receive free SMS alerts when a credit enquiry is made on their credit report from now until 31 December 2023.
To assist consumers in monitoring their personal information online, Experian has brought My Identity Check to South Africa. My Identity Check allows consumers to monitor the dark web for their personal information, this service is free until 1 February 2022. To find out more, visit: https://www.experian.co.za/consumer/myidentitycheck
Please visit www.mycreditcheck.co.za where you can access your personal credit report for free. If you have any questions or concerns, please email our Customer Care agents at za.consumercare@experian.com or contact us on 0861 51 41 31.
Q. What type of information was shared with the fraudster?
The business information that Experian shared consisted various fields including company registration details, general business information, company contact information and credit profile information. For 24,838 business entities, bank account numbers were also shared.
We have included a summarized table below of the business information and data fields Experian provided back to the fraudster for your ease of understanding.
Business Information |
Examples |
Company registration details |
Legal name, Alternative name, previous name, changed name, type of entity, company status, registration number |
General business information |
Holding company, Ultimate Holding company, principals, number of employees, premises, BEE (Yes/ No indicator), VAT Number/flag, Sicc information |
Company contact information |
Telephone, Postal address, street address, province, branches, email, fax |
Credit information |
Score, Judgements (Yes/ No indicator), Last JU Date, Liquidations, Adverse references (Yes/ No indicator), Enquiry amount, Enquiry terms, turnover range |
Banking information |
Bank code, Bankers, Branch, Bank Account numbers shared on 24, 838 business entities |
Other information |
Kim number, Report date, Import/ Export, R/D Cheque, Auditor, NCA (Yes/ No Indicator) |
Q. Have you notified the affected businesses?
We issued a media statement on 19 August 2020 and simultaneously updated our website with a notification on the data incident.
We also engaged the affected banks to assist with monitoring for any abnormal activity as well as to inform the impacted business entities.
We would advise any business who has concerns about their data to contact Experian on 0861 3973 7426 or email ServiceDeskSouthAfrica@experian.com.
Q. What is Experian doing to help the affected businesses?
We provided affected businesses with a copy of their business credit report for 6 months as well as free business alerts. The free Business Alerts provide immediate notifications if there is any event or change on their company profile held on the Experian database, including CIPC updates. The complimentary Business Alerts service will be provided to you until 31 December 2023.
To activate these Business Alerts and receive access to your Business Credit Report, please email ServiceDeskSouthAfrica@experian.com
Q. Was Experian hacked?
No. Experian South Africa has been the victim of fraud in which the perpetrator, pretending to be a legitimate business, made a fraudulent data inquiry. We have introduced additional authentication controls to prevent this type of incident from occurring again.
Q. When exactly did the fraud occur?
The information was shared on the 24 and 27 May 2020. Experian became aware of the fraud on 22 July 2020.
Immediately upon discovering the incident Experian investigated the matter, then proceeded to notify the regulators and affected banks. We instituted an Anton Piller application which delayed publishing the incident due thereto that the Anton Piller is reliant on the element of surprise and we therefore could not make the incident public. The execution of the Anton Piller order was completed on Tuesday, 18 August 2020. Experian issued a media statement on Wednesday, 19 August 2020.
Q. What caused the delay between the date the fraud took place and the public notification?
Experian SA followed-up with the purported client for bills outstanding on 30-day terms and when no payment was forthcoming entered into a recovery process. Experian SA subsequently conducted further checks and at the point determined that the transaction was fraudulent. Experian immediately initiated an internal investigation and shortly thereafter informed the necessary authorities as well as the banks.
Our investigations pointed to a suspect which enabled us to consider all appropriate legal action, including the Anton Piller application. We thus undertook to obtain and execute a successful Anton Piller order in order to impound hardware that we were able to locate and ensure that the data on such hardware was secured and deleted. By nature of the Anton Piller application, it required extreme secrecy as the element of surprise is crucial in executing the order. We therefore could not disclose the incident prior to the execution of the Anton Piller order, the execution of which was successfully completed on Tuesday 18 August 2020.
Q. Why did Experian only inform the Regulators of the data theft in August 2020 when the theft occurred in May 2020?
Experian only became aware of the fraud on 22 July 2020. Experian SA followed-up with the person they thought was the client for bills outstanding on 30-day terms and when no payment was forthcoming entered into a recovery process. Experian SA subsequently conducted further checks and at that point determined that the transaction was fraudulent. Experian immediately initiated an internal investigation and shortly thereafter, between 4 August 2020 and 7 August 2020, informed the National Credit Regulator, the Information Regulator and the affected banks.
Q. How did the fraud actually happen?
The fraudster impersonated a director of a known company and preceded to procure services from Experian as a client. The data was shared with the purported client utilising Experian’s secure data transfer protocols.
Q. Can anybody buy data from you?
No. Depending on the type of data, a requestor of data must provide a reason for requesting the data. The Purported Client provided Experian with a valid data access reason given the nature of his purported business and the data was released based on the reason provided.
Q. How was the information provided to the fraudster?
The data was shared with the purported client utilising Experian’s secure data transfer protocols. No data was shared via email or on any external devices.
Q. Did the fraudster use a thumbnail drive?
No. The fraudster did not use a thumbnail drive or USB flash drive.
Q. Was the data used or compromised?
We have been monitoring and continue to monitor the various platforms (including the dark web) to ascertain whether the data is being offered for sale. Our ongoing investigations identified files which we subsequently confirmed contained Experian data relating to the incident on the internet. We can confirm that our Global Security teams have removed these files from the Internet site where it was uploaded to and continue to monitor the internet for further activity.
Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes and it appears that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.
Q. What is Experian doing to ensure this incident will not occur again?
Immediate additional controls and safeguards have been introduced to prevent this type of fraud from occurring again. We have reviewed our onboarding process and have introduced additional controls to verify and authenticate who we deal with. Our newly designed processes have been be subject to an external audit by an independent external auditor.
Q. Which authorities have you notified?
Upon discovering the incident, we notified the National Credit Regulator, the Information Regulator and the banks. We have also been engaged with BASA, SABRIC and the prudential authority at the SARB.
Q. What is the status of the criminal investigation? What has happened to the suspect?
We are aware that a suspect has been arrested and appeared in court. While the law enforcement process is ongoing, we are unable to comment further. Please refer any queries about the arrest to the Hawk’s Serious Commercial Crime Investigation.
Q. What progress has been made on the civil proceedings?
The Anton Piller order was executed and made final in November 2020. We are considering further legal action against the suspect however, are mindful of the criminal proceeding and want to ensure that any civil action does not jeopardise the criminal investigation.
Q. Could this have compromised information of individuals from other markets?
No. This fraud incident is limited to information held in South Africa and does not go beyond.
Q. What processes and protocols does Experian have in place to protect consumer data and privacy?
Privacy is at the heart of what we do and the way we work. We strictly comply with data access laws in all the countries we operate in. We make continuous year-over-year investments in data security policies, practices, technology, software, culture and staffing to stay ahead of the criminal hackers that attempt to exploit our systems. Specifically, Experian has substantially added to its cybersecurity arsenal to address prevention, detection and mitigation. Following this incident, we have further built our organizational structures and have further enhanced our control environment.
DATA INCIDENT DEVELOPMENTS
Q. Was the data used or compromised?
Since Experian South Africa became aware of the fraud on 22 July 2020, our Global security team have monitoring various platforms (including the dark web) to ascertain whether the data is being offered for sale. To-date, our Global Security teams have not as yet observed the data being for sale on the internet and at this point there is no indication that any misappropriated data has been used for fraudulent purposes.
Additionally, various internal investigations were also launched to ascertain what the perpetrator intends to do with the data. Our investigations indicate that the perpetrator intended to use the data, or make it available for use, for marketing services including offering insurance and credit products to consumers.
On 1 September 2020 our ongoing investigation identified files which we subsequently confirmed contained Experian data relating to the incident reported in the media on 19 August 2020 on the internet via a restricted file sharing site. We notified the Information Regulator and NCR of this and published a statement.
Our Global Security team immediately engaged the third-party site and confirmed that these files can no longer be accessed via the private file sharing site that they were uploaded to. Experian Global Security Operations Centre continues to investigate any additional sources of the dataset online and continues to monitor the internet for further activity. Our global security teams have confirmed that they still have not as yet observed the data being for sale on the internet and at this point there is still no indication that this data has been used for fraudulent purposes.
Q. Are the files you identified on the internet the same files that were fraudulently acquired? How long where they publicly available?
We can confirm that the identified files uploaded to the internet contained Experian data relating to the incident reported in the media on 19 August 2020. It is difficult to determine how long the data was made available through the restricted link , however upon learning of its availability, our Global Security teams immediately engaged the third-party site and confirmed that these files can no longer be accessed via the private file sharing site that they were uploaded to and continue to monitor the internet for further activity.
Q. How were the files uploaded on the internet subsequent to the Anton Piller being executed?
The Anton Piller allows for the perpetrator’s hardware that we were able to locate being impounded and the data relating to specific Experian key words on such hardware being secured and deleted.
If the perpetrator had other devices that was not at the premises or other cloud accounts, then there is a possibility that the data could have been uploaded from those devices or cloud accounts.
Q. Who uploaded the files on the internet?
The identity of the individual who posted the files on the restricted file sharing site is not known and we are working with our investigators to confirm this. While there are media articles claiming that the data was placed there by an individual outside of South Africa, those assertions are not substantiated and there is no evidence of that. Our Global Security team engaged the third-party site and confirmed that these files can no longer be accessed via the private file sharing site that they were uploaded to. Experian Global Security Operations Centre continues to investigate any additional sources of the dataset online and continues to monitor the internet for further activity.
Q. Was the information that was uploaded to the internet obtained by potential fraudsters?
Our investigation is ongoing; however, our Global Security teams have not as yet observed the data being for sale on the internet and at this point there is no indication that any misappropriated data has been used for fraudulent purposes.
Our Global Security team immediately engaged the third-party site and confirmed that these files can no longer be accessed via the private file sharing site that they were uploaded to. Experian Global Security Operations Centre continues to investigate any additional sources of the dataset online and continues to monitor the internet for further activity.
Q. Did Experian suffer a cyber-attack?
Experian South Africa did not suffer a cyber-attack. We can confirm that Experian South Africa’s bureau infrastructure, systems and database were not and have not been compromised at any point.
Q. Why did Experian issue public assurances that the stolen information had been secured when in fact it had not been?
On 19 August 2020, Experian confirmed that it had identified the suspect and was successful in obtaining and executing an Anton Piller order which resulted in the individual’s hardware that we were able to locate being impounded and the data relating to specific Experian key words on such hardware secured and deleted. This announcement was based on the information at our disposal at that stage and was made in good faith. At that point, we were not aware of any further copies of the data.
Since Experian became aware of the fraud on 22 July 2020, our Global Security teams have been monitoring various platforms (including the dark web) to ascertain whether the data was being offered for sale. To-date, our Global Security teams have not as yet observed the data being for sale on the internet and at this point there is no indication that any misappropriated data has been used for fraudulent purposes. Additionally, various internal investigations were also launched to ascertain what the perpetrator intends to do with the data. Our investigations indicate that the perpetrator intended to use the data, or make it available for use, for marketing services including offering insurance and credit products to consumers.
The Anton Piller order permitted devices found at the premises of the fraudster to be searched for certain key words and if they contained such words, forensic copies of the relevant files could be made and the data deleted from the devices of the fraudster. The data that matched the keywords was indeed deleted from the fraudster's devices that had been found.
Q. Has the data been found elsewhere on the internet?
On Sunday 24 October 2021, we became aware of messages sent to a limited group of people on social media messaging platforms. They related to last year’s data incident and is not a new data incident. We immediately informed law enforcement and the appropriate regulatory bodies on Sunday and supported them in their investigations while also carrying out our own. Before noon on Tuesday, 26 October 2021, those files were deleted and removed from the messaging platform. Our Global security teams remain vigilant and continue to monitor the internet as the possibility exists for further posting of this data and we will deal with any posts as quickly as is possible. We remain committed to supporting people and businesses in South Africa by continuing to offer free credit enquiry alerts until the end of December 2023 and other support services free of charge until February 2022.
LEGAL AND CRIMINAL PROCESS
Q. Which authorities have you notified?
Upon discovering the incident, we notified the National Credit Regulator, the Information Regulator and the banks. We have also been engaged with BASA, SABRIC and the prudential authority at the SARB.
Q. Which authorities are investigating the incident?
We are working closely with all relevant authorities, including the Information Regulator, The National Credit Regulator and Law enforcement (SAPS and HAWKS), to help bring the suspect to justice and ensure data protection for all South Africans.
Q. Where are you with the legal and criminal process?
We have completed the interim Anton Piller order. We have notified the HAWKS of the incident and are actively pursuing a criminal case against the individual. The criminal affidavit was provided to the HAWKS on 26 August and on 27 August 2020. A case number has been issued and a prosecutor has been assigned to the case. We continue to work with the HAWKS to bring the suspect to justice.
Q. Why did it take Experian three months to open a criminal case with the police when the data theft occurred in May?
The information was erroneously shared with the fraudster (purporting to represent a legitimate company) on 24 and 27 May 2020. Experian only became aware of the fraud on 22 July 2020.
Experian SA followed-up with the person they thought was the client for bills outstanding on 30-day terms and when no payment was forthcoming entered into a recovery process. Experian SA subsequently conducted further checks and at that point determined that the transaction was fraudulent. Experian immediately initiated an internal investigation and shortly thereafter, between 4 August 2020 and 7 August 2020, informed the National Credit Regulator, the Information Regulator and the affected banks.
Our investigations pointed to a potential suspect which enabled us to consider all appropriate legal action, including the Anton Piller application. We thus undertook to obtain and execute the Anton Piller order in order to impound hardware that we were able to locate and ensure that the data on such hardware was secured and deleted. An Anton Piller application is designed to secure evidence that would otherwise be destroyed if the person in possession of the evidence is given notice of the application. It was therefore not possible to disclose the incident to the public prior to the execution of the Anton Piller order, the execution of which was successfully completed on Tuesday 18 August 2020. On 20 August 2020, we received the digital forensic expert’s draft scene report of the Anton Piller order’s execution, with the Anton Piller’s supervising attorney’s affidavit (including the forensic investigator’s report) received on 24 August 2020, which we relied on to open the criminal case. It is however noteworthy that from the moment we had a suspect in mind, through our digital forensic experts, we communicated with law enforcement.
Q. How can you be certain that you have identified the suspect?
The proof required to be granted an Anton Piller execution in the Gauteng High Court is extremely stringent and onerous. Experian South Africa was successful in obtaining and executing an Anton Piller order against the suspect which resulted in the individual’s hardware that we were able to locate being impounded and the data relating to specific Experian key words on such hardware secured and deleted. We can confirm that data containing the key words (which refers to Experian and the data) of the Anton Piller order was found on the hardware that was seized.
It is significant that the respondent to the Anton Piller application has not opposed the application, as was his right, if he believed that the order was wrongly granted or executed by Experian.
We can confirm that a criminal case was opened by Experian South Africa and the criminal process is now in the hands of law enforcement.
Q. The identity of the suspected perpetrator has been referenced in multiple media reports. He claims that he is being framed by Experian, that the framing is around a deal he had with Compuscan in 2017 and that Experian, which acquired Compuscan in 2019, is now pursuing him for money he allegedly owed Compuscan for data he acquired from that company. Is this true?
Experian have not had prior dealings with the suspected perpetrator however Experian acquired a business in 2019 (Compuscan) who had a once off client-relationship with the suspected perpetrator in 2017. The suspected perpetrator contracted with Compuscan for services, however failed to pay for the services due to a dispute regarding the services that was rendered (claiming he did not receive the services, which he confirmed in an affidavit). The relationship was terminated, and a legal process commenced. To confirm there are no ongoing disputes with the suspected perpetrator regarding outstanding payments. Following legal advice in 2017, Compuscan decided not to further pursue the case against the suspected perpetrator for payment outstanding.
We can confirm that neither Experian nor Compuscan is pursuing litigation against the suspected fraudster for the payment of monies he allegedly owed Compuscan.
We can confirm that the suspected perpetrator has never done any business with Experian using his legitimate identity and his own company name.
The suspect, assuming the identity of another person and using sophisticated social engineering, purported to represent a legitimate company (not his own) and fraudulently requested services from Experian in May 2020. He impersonated a legitimate director and misrepresented a legitimate known company in the onboarding of a new client with Experian South Africa.
Q. What is the latest status on the apprehension of the suspect?
A warrant of arrest has been issued against the suspect. The suspect appeared in the Palm Ridge Magistrates court on 15 September 2021, on charges of fraud and the contravention of the Electronic Communications and Transactions Act as per the statement issued by the Directorate for Priority Crimes Investigations (HAWKS). His next court appearance is on 29 October 2021. For more details please refer to https://www.saps.gov.za/newsroom/msspeechdetail.php?nid=35238
PREVENTION MEASURES AND DATA PROTECTION
Q. What is Experian doing to ensure this incident will not occur again?
Immediate additional controls and safeguards have been introduced to prevent this type of fraud from occurring again. We have reviewed our onboarding process and have introduced additional and enhanced controls to verify and authenticate who we deal with. Our newly designed processes will be subject to an external audit by an independent external auditor. Additionally, Experian has conducted a full risk assessment and root case analysis to further strengthen the appropriate processes and organizational measures in place to prevent unlawful access to information held by Experian. The remedial actions have been implemented and further refinement to the control environment is also taking place.
Q. Could this have compromised information of individuals from other markets?
No. This fraud incident is limited to information held in South Africa and does not go beyond.
Q. What processes and protocols does Experian have in place to protect consumer data and privacy?
Privacy is at the heart of what we do and the way we work. We make continuous year-over-year investments in data security policies, practices, technology, software, culture and staffing to stay ahead of the criminal hackers that attempt to exploit our systems. Specifically, Experian has substantially added to its cybersecurity arsenal to address prevention, detection and mitigation. Following this incident, we have further built our organizational structures and have further enhanced our control environment.