Highly sensitive information about South Africans from Experian breach now freely available online

On 19 August 2020, the South African Banking Risk Centre (SABRIC) announced a data breach at consumer, business, and credit information services agency Experian.
Experian’s major clients include several South African banks with the company holding highly sensitive financial and personal information of local citizens and businesses.
According to SABRIC, personal banking-related information of 24 million South Africans and 793,749 businesses were exposed following the data breach.
Following the SABRIC announcement, Experian issued a statement saying it was not hacked and that the number of leaked records were overstated.
Experian South Africa CEO Ferdie Pieterse said the data breach actually exposed the personal details of 23.4 million South Africans and 607,000 businesses.
He said the security breach occurred when an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian.
The perpetrator used social engineering techniques to put himself forward as a known customer and convinced Experian, in the normal course of business, to provide him with the records of 23.4 million individuals.
According to Pieterse, the fraudster already had the names, surnames, and ID numbers of people and Experian only provided contact information to the fraudster – telephone numbers and addresses.
While Pieterse downplayed the severity of the breach, security experts highlighted that it poses a big security risk to individuals and businesses.
J2 Software managing director John Mc Loughlin said this is a serious data breach which should concern people.
He highlighted that the information breach already happened in May and the data has been “out there for months”.
“We live in a digital world. That data can be absolutely anywhere, and that is the information which hackers need to target people for identity theft, SIM swaps, and other fraud,” he said.
This “highly valuable and rich data set” provides fraudsters with the means to launch attacks against people.
Data available online
It was not long before this data found its way to the Internet.
Earlier this month, the Information Regulator of South Africa raised concerns that data from the Experian data leak was found on the dark web.
It said the data includes the cellphone numbers, home numbers, work phone numbers, employment details, and identity numbers of individuals.
Company data available reportedly includes the names of companies, as well as their contact details, VAT numbers, and banking details.
Last week, MyBroadband received information from an anonymous source that the Experian data breach file is now widely available online.
“The Experian data breach file is all over the web. I have managed to locate the file at a number of locations,” he said.
With the help of security experts, MyBroadband verified that the data is indeed available through a simple download link online and not only on the dark web.
This means the anyone with a browser and Internet connection can download the data, which is contained in multiple CSV files.
MyBroadband also verified the accuracy of the data by contacting businesses whose details are contained in the leak.
Responding to questions about the data leak, Experian said their “global security teams have not observed evidence to suggest that these files are circulating on the Internet”.
“Given this, we do not feel compelled to respond to misleading and unsubstantiated further claims,” Experian said.
“Additionally, the numbers you quote are factually inaccurate and we would direct you to our website which provides a comprehensive Q&A that deals with the known facts as of this date.”
The data which is available online
Orange Cyberdefense analysed the data and provided an overview of the data which is now freely available online.
- There are 25,055,050 total records contained in numerous CSV files.
- There are 21,263,393 unique records. 2,736,752 records are listed two or more times.
- The latest record date is 2 May 2020.
- There are 1,263,435 unique email addresses contained in the leaked data.
It is currently not clear if the financial and personal data which is now available has been enriched from other sources since the first leak.
What is clear is that the data contains in-depth personal and financial data about millions of South African citizens and businesses – a treasure trove for criminals.
To date, South Africans have not been clearly informed as to what data is online. MyBroadband created two tables to clearly show what the leaked data looks like.
Here is a summary of the data which is available online. The data has been changed to not expose personal details about the business or individual.
Individual Data Leak | |
Field | Information |
RSAID | 6705216150082 |
Forename1 | John |
surname | Doe |
CS_File_number | 1 |
CS_CST_HomeAffairsRSAIDVerf | Y |
CS_CELL_PHONE_1 | 0791234567 |
CS_CELL_PHONE_2 | 0841234567 |
CS_CELL_PHONE_3 | 0831234567 |
CS_HOME_PHONE_1 | 0111234567 |
CS_HOME_PHONE_2 | 0111234567 |
CS_HOME_PHONE_3 | 0111234567 |
CS_OTHER_PHONE_1 | — |
CS_OTHER_PHONE_2 | — |
CS_OTHER_PHONE_3 | — |
CS_WORK_PHONE_1 | 0111234567 |
CS_WORK_PHONE_2 | 0821234567 |
CS_WORK_PHONE_3 | 0811234567 |
CS_EMAIL | — |
CS_EMAIL_RANK | — |
CS_Employer | Motor Sales Sandton |
CS_OCCUPATION | — |
CS_Date | 18/07/2008 00:00 |
CS_EMP1_EMP_NAME | Toyota |
CS_EMP1_DATE_CREATED | 20200430 |
CS_EMP1_OCCUPATION | Manager |
CS_EMP2_EMP_NAME | Toyota SA |
CS_EMP2_DATE_CREATED | 20200331 |
CS_EMP2_OCCUPATION | Manager |
CS_EMP3_EMP_NAME | Toyota SA |
CS_EMP3_DATE_CREATED | 20200331 |
CS_EMP3_OCCUPATION | Manager |
CS_Address1_Line_1 | 5 Ribbok Street |
CS_Address1_Line_2 | Zwartkop Ext 4 |
CS_Address1_Line_3 | Centurion |
CS_Address1_Line_4 | — |
CS_Address1_Town | Centurion |
CS_Address1_PostCode | 0157 |
CS_Address1_Province | Gauteng |
CS_Address1_Update_Date | 20190531 |
CS_Address2_Line_1 | 2 Bridget Street |
CS_Address2_Line_2 | Northworld |
CS_Address2_Line_3 | Randburg |
CS_Address2_Line_4 | — |
CS_Address2_Town | Randburg |
CS_Address2_PostCode | 2188 |
CS_Address2_Province | Gauteng |
CS_Address2_Update_Date | 20160831 |
CS_Address3_Line_1 | 17 Chris Street |
CS_Address3_Line_2 | Birchleigh North |
CS_Address3_Line_3 | Kempton Park |
CS_Address3_Line_4 | — |
CS_Address3_Town | Kempton Park |
CS_Address3_PostCode | 1618 |
CS_Address3_Province | Gauteng |
CS_Address3_Update_Date | 20090131 |
Business Data Leak | |
FIELD | INFORMATION |
Kim# | 1229 |
Debtor Name | ACME Motor Holdings |
Vat Matched Flag | N |
Legal Name | ACME Motor Holdings (PTY) LTD |
Alt Name Type | Trading As |
Alt Name | ACME Motors |
Name Change Type | Conversion Name |
Changed Name | ACME Motor Holdings (PTY) LTD (2012/134123/08) |
Entity | (Pty) Ltd |
Company Status | Active |
Reg Number | 1997/005111/28 |
Report Date | 20171002 |
Enquiry Amount | 100000 |
Enquiry Terms | 30 Days |
Bank Code | C |
Bank Code Date | 20200213 |
Sicc Source | K |
Sicc | 63121.01 |
Sicc Description | Retail sale of new motor vehicles |
Employees | 185 |
Holding Company | — |
Turnover Range | 300 000 000 – 500 000 000 |
Import/Export | — |
Fleet | 68 |
Score | 68 |
Score Comment | Older than 18 months |
Judgements | N |
R/D Cheques | N |
Adverse References | N |
Telephone | (011) 871 9000 |
Postal Address | P O Box 1234, Alberton, 1450 |
Street Address | 20 Voortrekker Road, Alberton, 1449 |
Province | Gauteng |
Principals | 1 |
Branches | — |
Liquidation | — |
Premises | Leased |
VAT Number | 4930104558 |
Ultimate Holding Company | — |
Last JU Date | 0 |
Auditor | Pieter De Beer |
Fax | (011) 871 9001 |
[email protected] | |
Bankers | SA ABSA |
Account# | 4012345678 |
Branch | 632005 |
BEE | Y |
NCA | No |