Personal data exposure notification service Have I Been Pwned? has sent notifications to over a million South Africans regarding a data breach that has been connected to Experian.
The South African Banking Risk Centre (SABRIC) announced on 19 August that a data breach at Experian exposed the personal banking-related information of as many as 24 million South Africans and nearly 793,749 businesses.
Following the report, Experian issued a statement to clarify the nature of the incident, saying it was not hacked and that no financial information was compromised.
According to Experian, an individual in South Africa who claimed to represent a legitimate client fraudulently requested services from the company in May 2020.
Experian discovered the alleged fraud in July 2020 and disclosed the matter to South Africa’s information regulator and the public in August.
Experian Africa CEO Ferdie Pieterse has also stated that they are pursuing criminal charges against the alleged fraudster.
While Experian was trying to downplay the severity of the leak, South African banks were providing clients with tips on how to keep themselves safe from potential identity theft and phishing attacks.
This caused a lot of confusion and raised questions regarding the severity and potential impact of the leak.
iAfrikan, together with Troy Hunt from Have I Been Pwned, have now reported that they have found a database containing the stolen data from Experian on the public Internet.
Sensitive personal information exposed
Hunt stated that only 1.3 million of the records contained in the data leak contained e-mail addresses. However, the whole database contains entries for “tens of millions of individuals”.
iAfrikan also reported that the dataset contains far more personal information than Experian initially let on.
This includes ID numbers, names, addresses, occupations and other employment information.
Company data found in the breach includes fields for financial information such as bank account numbers and branches.
Experian – We continue to investigate the leak
According to Hunt and iAfrikan’s reports, this dataset is connected to the leak originally disclosed by SABRIC on 19 August. Experian has also confirmed this.
“Experian continues to investigate the isolated incident in South Africa involving a fraudulent data inquiry,” the credit bureau told iAfrikan.
“As part of this investigation, we have identified files which we believe contain Experian data relating to the incident on the internet. We continue to investigate these files and will take all steps available to us to reduce further dissemination if possible.”
Experian dataset contains old e-mail addresses
Following the Have I Been Pwned notification of the breach, a MyBroadband forum member whose e-mail address was in the database contacted us.
This MyBroadband forum member explained that the email address contained in the Experian data leak is a unique address that he has not used since 2012.
“It was an email address I used exclusively for FNB back in 2012 before I changed to a different, unique email address due to spam as FNB gave out my unique FNB-only email address to its marketing partners,” he said.
“I am surprised that the unique email address I used after 2012 for FNB is not included in the Experian data breach.”