Experian South Africa open letter from Ferdie Pieterse

Experian fraudulent data incident

Dear Clients, Consumers and Business owners

The Experian South Africa data incident has been a significant event affecting consumers and businesses in South Africa. Further impacting the incident was the continued misinformation seen in the media and that we were previously unable to respond to the media in a comprehensive manner due to the time and process sensitivity of the matter, the criminal investigation and the Anton Piller process.

I want you to know that the protection of your data and personal information is our priority. And on behalf of Experian SA, I apologise for the stress and concern this has caused you. I advise  concerned consumers to monitor their free credit report at www.mycreditcheck.co.za, and businesses to request their free business credit report by emailing ServiceDeskSouthAfrica@experian.com

My commitment is to be as transparent as possible without compromising the ongoing investigation and use our platforms to keep you informed of any further developments of this incident.

This letter aims to clarify the process we followed, the actions we took, and the details of the information concerned in relation to the Experian South Africa data incident.


Details of the investigation into the incident

Experian concluded an agreement for services with a company who was impersonated.

As soon as this fraud was detected by Experian, we immediately engaged a team of data, security and information experts, and appointed industry experts to investigate the incident, communicate with key stakeholders, strengthen our organisational protocols and business processes, and provide support to affected consumers and businesses.

Various investigations into the incident have been conducted including a security assessment, compliance assessment and risk assessment. We will furthermore continue to add additional safeguards and enhancements to our business following continuous assessments of our environment.

We have attempted to answer all the questions around this incident in a detailed FAQ which is available on our website at  https://www.experian.co.za/fraudulent-data-incident/faqs

There you’ll find:

  • details of the categories of consumer and business information concerned, including what we were provided with versus what we returned.
  • When the events occurred, our reaction to the events and the processes and actions we followed.
  • Explanations of the measures we’ve put into place to prevent such an event in the future.
  • Interventions and free monitoring we’ve put into place for consumers and businesses.


The information shared with the fraudster

It is important for us to clarify that Experian did not provide the fraudster with identity details. The fraudster provided Experian with 25,055,049 names, surnames and South African identity numbers which Experian verified.  The data shared was limited to contact information including telephone, email and physical address and employment information which includes place of work, title, start date and work contact details. No personal consumer credit, financial or banking information was shared by Experian.

The fraudster also provided Experian with the names, addresses and registration dates of approximately 790,000 businesses. The business information that Experian shared back consisted of company registration details, general business information, company contact information and credit profile information. For 24,838 business entities, bank account numbers were also shared.


Ongoing investigation developments

Our ongoing investigation identified files which we subsequently confirmed contained Experian data relating to the incident on the internet. On 1 September, our Global Security teams removed the files from a private file sharing site where they were uploaded to. Experian Global Security Operations Centre continues to investigate any additional sources of the dataset online and continues to monitor the internet (including the dark web) for further activity. The Global security team have not observed the data being offered for sale (i.e. to commit identity theft) on the internet and at this point there is no indication that this data has been used for fraudulent purposes. They also confirmed that Experian South Africa bureau’s infrastructure, systems and databases remain secure and have not been compromised.

Various internal investigations were also launched to ascertain what the perpetrator intends to do with the data. Our investigations indicate that the perpetrator intended to use the data, or make it available for use, for marketing services including offering insurance and credit products to consumers.

We have notified the HAWKS of the incident and are actively pursuing a criminal case. The criminal affidavit was provided to the HAWKS on 26 August and on 27 August 2020. A case number has been issued and a prosecutor has been assigned to the case.


What Experian is doing for Consumers and Businesses

Let me assure you that our priority was – and remains – to help and support businesses and consumers in South Africa.

Our Consumer Care Agents and Client Service Desks have been equipped to assist with all incoming consumer and business queries.

Consumers are provided with free access to their credit profile (for life) and are able to dispute their information for free at www.mycreditcheck.co.za. Consumers who request their free credit report through My Credit Check or My Credit Expert, will also automatically receive free SMS notifications on their cellphone when any credit enquiry is made on their credit report until 31 December 2023.

We are providing affected businesses with a copy of their business credit report as well as free business alerts which provide businesses with immediate notifications if there is any event or change on their company profile held on the Experian database, including CIPC updates.To activate these Business Alerts and receive access to their free Business Credit Report, companies can email ServiceDeskSouthAfrica@experian.com. The complimentary Business Alerts service will be provided until 31 December 2023.


Steps taken to prevent this incident from occurring again

Experian has conducted a full risk assessment and root case analysis to further strengthen the appropriate processes and organisational measures in place to prevent unlawful access to information held by Experian. The remedial actions have been implemented and further refinement to the control environment is also taking place.

Experian’s POPIA Act implementation has been underway since 2018, and Experian is on track to have POPIA fully implemented by June 2021. Experian has and will continue to implement certain operational and compliance changes in order to comply with the requirements of POPIA. These will apply to both consumer and business information.


In closing

We continue to work closely with both law enforcement and the Regulators to ensure that the suspect is brought to justice.

I sincerely hope that my apology and the information contained in this letter provide clarity, have meaning for you and open the way for reparation.

Should you have any further concerns or questions on the above, please contact Experian South Africa leadership directly by emailing ceo.za@experian.com  

Kind regards

Ferdie Pieterse

CEO of Experian South Africa 

Guidance for consumers

Guidance for businesses