Security27.09.2020

Highly sensitive information about South Africans from Experian breach now freely available online

Hacker

On 19 August 2020, the South African Banking Risk Centre (SABRIC) announced a data breach at consumer, business, and credit information services agency Experian.

Experian’s major clients include several South African banks with the company holding highly sensitive financial and personal information of local citizens and businesses.

According to SABRIC, personal banking-related information of 24 million South Africans and 793,749 businesses were exposed following the data breach.

Following the SABRIC announcement, Experian issued a statement saying it was not hacked and that the number of leaked records were overstated.

Experian South Africa CEO Ferdie Pieterse said the data breach actually exposed the personal details of 23.4 million South Africans and 607,000 businesses.

He said the security breach occurred when an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian.

The perpetrator used social engineering techniques to put himself forward as a known customer and convinced Experian, in the normal course of business, to provide him with the records of 23.4 million individuals.

According to Pieterse, the fraudster already had the names, surnames, and ID numbers of people and Experian only provided contact information to the fraudster – telephone numbers and addresses.

While Pieterse downplayed the severity of the breach, security experts highlighted that it poses a big security risk to individuals and businesses.

J2 Software managing director John Mc Loughlin said this is a serious data breach which should concern people.

He highlighted that the information breach already happened in May and the data has been “out there for months”.

“We live in a digital world. That data can be absolutely anywhere, and that is the information which hackers need to target people for identity theft, SIM swaps, and other fraud,” he said.

This “highly valuable and rich data set” provides fraudsters with the means to launch attacks against people.

Data available online

It was not long before this data found its way to the Internet.

Earlier this month, the Information Regulator of South Africa raised concerns that data from the Experian data leak was found on the dark web.

It said the data includes the cellphone numbers, home numbers, work phone numbers, employment details, and identity numbers of individuals.

Company data available reportedly includes the names of companies, as well as their contact details, VAT numbers, and banking details.

Last week, MyBroadband received information from an anonymous source that the Experian data breach file is now widely available online.

“The Experian data breach file is all over the web. I have managed to locate the file at a number of locations,” he said.

With the help of security experts, MyBroadband verified that the data is indeed available through a simple download link online and not only on the dark web.

This means the anyone with a browser and Internet connection can download the data, which is contained in multiple CSV files.

MyBroadband also verified the accuracy of the data by contacting businesses whose details are contained in the leak.

Responding to questions about the data leak, Experian said their “global security teams have not observed evidence to suggest that these files are circulating on the Internet”.

“Given this, we do not feel compelled to respond to misleading and unsubstantiated further claims,” Experian said.

“Additionally, the numbers you quote are factually inaccurate and we would direct you to our website which provides a comprehensive Q&A that deals with the known facts as of this date.”

The data which is available online

Orange Cyberdefense analysed the data and provided an overview of the data which is now freely available online.

  • There are 25,055,050 total records contained in numerous CSV files.
  • There are 21,263,393 unique records. 2,736,752 records are listed two or more times.
  • The latest record date is 2 May 2020.
  • There are 1,263,435 unique email addresses contained in the leaked data.

It is currently not clear if the financial and personal data which is now available has been enriched from other sources since the first leak.

What is clear is that the data contains in-depth personal and financial data about millions of South African citizens and businesses – a treasure trove for criminals.

To date, South Africans have not been clearly informed as to what data is online. MyBroadband created two tables to clearly show what the leaked data looks like.

Here is a summary of the data which is available online. The data has been changed to not expose personal details about the business or individual.

Individual Data Leak
Field Information
RSAID 6705216150082
Forename1 John
surname Doe
CS_File_number 1
CS_CST_HomeAffairsRSAIDVerf Y
CS_CELL_PHONE_1 0791234567
CS_CELL_PHONE_2 0841234567
CS_CELL_PHONE_3 0831234567
CS_HOME_PHONE_1 0111234567
CS_HOME_PHONE_2 0111234567
CS_HOME_PHONE_3 0111234567
CS_OTHER_PHONE_1
CS_OTHER_PHONE_2
CS_OTHER_PHONE_3
CS_WORK_PHONE_1 0111234567
CS_WORK_PHONE_2 0821234567
CS_WORK_PHONE_3 0811234567
CS_EMAIL
CS_EMAIL_RANK
CS_Employer Motor Sales Sandton
CS_OCCUPATION
CS_Date 18/07/2008 00:00
CS_EMP1_EMP_NAME Toyota
CS_EMP1_DATE_CREATED 20200430
CS_EMP1_OCCUPATION Manager
CS_EMP2_EMP_NAME Toyota SA
CS_EMP2_DATE_CREATED 20200331
CS_EMP2_OCCUPATION Manager
CS_EMP3_EMP_NAME Toyota SA
CS_EMP3_DATE_CREATED 20200331
CS_EMP3_OCCUPATION Manager
CS_Address1_Line_1 5 Ribbok Street
CS_Address1_Line_2 Zwartkop Ext 4
CS_Address1_Line_3 Centurion
CS_Address1_Line_4
CS_Address1_Town Centurion
CS_Address1_PostCode 0157
CS_Address1_Province Gauteng
CS_Address1_Update_Date 20190531
CS_Address2_Line_1 2 Bridget Street
CS_Address2_Line_2 Northworld
CS_Address2_Line_3 Randburg
CS_Address2_Line_4
CS_Address2_Town Randburg
CS_Address2_PostCode 2188
CS_Address2_Province Gauteng
CS_Address2_Update_Date 20160831
CS_Address3_Line_1 17 Chris Street
CS_Address3_Line_2 Birchleigh North
CS_Address3_Line_3 Kempton Park
CS_Address3_Line_4
CS_Address3_Town Kempton Park
CS_Address3_PostCode 1618
CS_Address3_Province Gauteng
CS_Address3_Update_Date 20090131
Business Data Leak
FIELD INFORMATION
Kim# 1229
Debtor Name ACME Motor Holdings
Vat Matched Flag N
Legal Name ACME Motor Holdings (PTY) LTD
Alt Name Type Trading As
Alt Name ACME Motors
Name Change Type Conversion Name
Changed Name ACME Motor Holdings (PTY) LTD (2012/134123/08)
Entity (Pty) Ltd
Company Status Active
Reg Number 1997/005111/28
Report Date 20171002
Enquiry Amount 100000
Enquiry Terms 30 Days
Bank Code C
Bank Code Date 20200213
Sicc Source K
Sicc 63121.01
Sicc Description Retail sale of new motor vehicles
Employees 185
Holding Company
Turnover Range 300 000 000 – 500 000 000
Import/Export
Fleet 68
Score 68
Score Comment Older than 18 months
Judgements N
R/D Cheques N
Adverse References N
Telephone (011) 871 9000
Postal Address P O Box 1234, Alberton, 1450
Street Address 20 Voortrekker Road, Alberton, 1449
Province Gauteng
Principals 1
Branches
Liquidation
Premises Leased
VAT Number 4930104558
Ultimate Holding Company
Last JU Date 0
Auditor Pieter De Beer
Fax (011) 871 9001
E-mail [email protected]
Bankers SA ABSA
Account# 4012345678
Branch 632005
BEE Y
NCA No

Information Regulator of South Africa Statement


Experian South Africa statement


Now read: Personal information of millions of South Africans exposed in banking data breach

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter