The Information Regulator of South Africa has received information from a whistleblower regarding data from the Experian data leak being found on the dark web.
This data reportedly includes the cellphone numbers, home numbers, work phone numbers, employment details, and identity numbers of individuals.
Company data available reportedly includes the names of companies, as well as their contact details, VAT numbers, and banking details.
“The Regulator is extremely disturbed about the information that it has received from the whistleblower, particularly because during the meeting which it held with Experian last week, its Chief Executive Officer, Mr Ferdie Pieterse assured the Regulator that Experian had obtained an Anton Piller order and managed to execute the order in terms of which the personal information of data subjects was appropriately secured,” said the Information Regulator.
According to the Regulator, it wrote to Experian on Wednesday regarding this new development, and Experian responded as follows:
“I can confirm that we have located the files on the Internet and that we are currently running an analysis on the files to ascertain whether it is an exact match. However, our preliminary investigation indicates that it is reasonable to assume that it is the files that were released to the fraudster and we have issued a public notification to this effect.”
Later, Experian confirmed to the Regulator that the files found online comprised the same data that was misappropriated in the data attack, although it claimed that the data was not on the dark web, but was rather on a third-party data sharing site.
Experian said that this third-party site, which is hosted in Switzerland, has disabled the links and the data has been removed.
“Whilst the Regulator appreciates the prompt response and cooperation it has received from Experian, it is concerned that the personal information of data subjects continues to be vulnerable and Experian seems to be struggling to secure the protection of personal information of millions of South Africans,” said the Regulator.
The regulator noted that it is mindful of the Protection of Personal Information Act (POPIA) giving parties up to 1 July 2021 to ensure all processing of such personal information conforms to the Act.
“However, the Regulator would like to advise the public that the grace period provided for in POPIA does not absolve responsible parties from the legal obligation of ensuring that they process personal information in accordance with POPIA,” it said.
The regulator said it will be conducting an independent review to assess the extent of the data breach and to explore a suitable solution to ensure that affected data is protected.
It is working with its counterpart in Switzerland, the Federal Data Protection and Information Commissioner, since “the breach involves cross border flow of personal information.”
When asked for comment regarding the situation, Experian said it is continuing to investigate the incident.
“As a part of this investigation, we have identified files which we believe contain Experian data relating to the incident on the Internet,” said Experian.
“We continue to investigate these files and will take all steps available to us to reduce further dissemination if possible.”
It also noted that a criminal case was opened last week in South Africa and the matter is now being handled by law enforcement.
“When we first became aware of the fraudulent incident we took immediate steps to make sure that individuals and businesses in South Africa could take steps to protect themselves,” said Experian.
“The fraudster obtained business information on some South African business entities. We reiterate, however, that no sensitive consumer credit or financial information was obtained by the fraudster in this incident.”