Experian SA CEO says it was not hacked; rather, a clever criminal convinced it to provide the data

Would it not be better to agree it was a hack? Rather than saying they were conned? and the illegally shared the information to a customer of their entire database ? not sure which is even worse
I think Experian is trying to position this as an isolated event in South Africa to avoid concerns about the security of its systems globally. If people start to see Experian's system as vulnerable, it can affect the company worldwide.
 
I think Experian is trying to position this as an isolated event in South Africa to avoid concerns about the security of its systems globally. If people start to see Experian's system as vulnerable, it can affect the company worldwide.
make sense - surely it is concerning the action took over 2 months to remedy?
 
Let's reverse the roles and see how easy it is to get sympathy from a major company CEO when a customer gets duped..

 
I think Experian is trying to position this as an isolated event in South Africa to avoid concerns about the security of its systems globally. If people start to see Experian's system as vulnerable, it can affect the company worldwide.

Clearly their systems are vulnerable if a simple social engineering attack can get into their systems.

**EDIT**
If anything this admission of theirs is even worse than them being "hacked" in the sense that the CEO intends.
 
Last edited:
Experian South Africa CEO Ferdie Pieterse downplayed the seriousness of a data breach at his company which exposed the personal details of 23.4 million South Africans.


Downplayed? This sounds even more serious! Lack of controls.

They just admitted to being idiots. Can't take it back now. Slap em with a fine big enough to bankrupt them

POPI sal dans!
 
Mr Ferdie Pieterse - that response clearly shows that you are not qualified to head a company of any type or size. The fact is that you have failed badly. And your biggest mistake is that you STILL appear to not recognize it. You are trying to explain away a very serious incident, instead of owning up to the issue and making the necessary reparations.
 
I think Experian is trying to position this as an isolated event in South Africa to avoid concerns about the security of its systems globally. If people start to see Experian's system as vulnerable, it can affect the company worldwide.

The problem I have with all credit bureaus are that they allow their clients to purchase data from them. Their clients can indeed upload a CSV file with millions of ID Numbers and their system will return a file with contact numbers, and any other information you require. How this incident occurred, I am not sure. Maybe the offender walked into an office with a disc or he logged in using an existing clients' details. But, if they are allowed to sell consumer information, this problem will never go away.
 
With a hack you can at least look at the logs what data was downloaded. With this social engineering attack he gave the keys to the bank robber and told him, take your time, we will turn off our cameras for 3 months.
 
I think Experian is trying to position this as an isolated event in South Africa to avoid concerns about the security of its systems globally. If people start to see Experian's system as vulnerable, it can affect the company worldwide.
Well their systems are vulnerable to social engineering. I assume this is a staff training issue then if not a technical issue? *cough*
Quick q...
if indeed:
“The services involved the release of information which is provided in the ordinary course of business or which is publicly available.”
Why then would it be necessary to:
"....used social engineering techniques to put himself forward as a known customer of Experian.
The fraudster then convinced Experian, in the normal cause of business, to provide him with the records of 23.4 million individuals."

Colour me jaded, but it seems to me this was not so much a social engineering hack as a voluntary leak of information to a known third party under the guise of a hack.
Won't be the first time it's happened.
 
“The services involved the release of information which is provided in the ordinary course of business or which is publicly available.”

This is what they want to use as scapegoat.

They already said the 'criminal' had a list of names, surnames and ID Numbers. I believe this, because this is how you get batch data from them. You can either upload the list, mail it to them, post it to them or take it to them personally. They then give your file back to you with the required information.

They are going to claim that the phone numbers they provided were publicly accessible information that came from Google, other search engines, social media, etc.
 
Top
Sign up to the MyBroadband newsletter