Experian data of 25 million South Africans re-leaked on Telegram
The personal data of millions of South Africans illegally obtained from credit bureau Experian in August 2020 was re-leaked via a Telegram channel this weekend, the Information Regulator has announced.
“According to the whistleblower that alerted the regulator some of data subjects… The database containing this personal information was downloaded over a hundred times before Telegram removed the page with the link to the database,” the regulator stated.
After learning about the new leak, Experian sent a take-down request to Telegram and alerted law enforcement agencies.
Experian reportedly instructed its lawyers to request the mobile operator to suspend the cellphone account of the user that dumped the data on Telegram.
Experian told the Information Regulator that it does not know the identity of the person who has illegally disclosed the personal information from the leak.
The Experian data leak was first reported to the public on 19 August 2020 when the South African Banking Risk Centre (Sabric) announced that there had been a data breach at the consumer, business, and credit information services agency.
Experian’s major clients include several South African banks. The company holds highly sensitive financial and personal information of local citizens and businesses.
An independent investigation commissioned by the Information Regulator found that Experian had entered into a commercial engagement with a person misrepresenting themselves as a director of a legitimate company.
The perpetrator provided Experian SA with 25,055,049 names, surnames and South African identity numbers, which Experian SA verified.
The data shared by Experian SA was limited to contact information for the people contained in the data set provided by the perpetrator, including:
- Telephone
- Physical address
- Employment data
The employment data included place of work, title, start date and work contact details.
Experian SA shared no personal consumer credit, financial or banking information, the Information Regulator assured.
In addition, Experian SA did not provide the perpetrator with any identity details.
The perpetrator also provided Experian SA with approximately 790,000 businesses names, addresses and registration numbers.
In return, Experian SA shared company registration details, general business information, company contact information, and credit profile information.
For 24,838 business entities, it also shared bank account numbers.
Data available online
The Information Regulator of South Africa raised concerns in September last year that data from the Experian leak was found on the dark web.
MyBroadband received information from an anonymous source that the Experian data breach file was widely available online.
“The Experian data breach file is all over the web. I have managed to locate the file at a number of locations,” he said.
With the help of security experts, MyBroadband verified that the data is indeed available through a simple download link online and not only on the dark web.
MyBroadband verified the accuracy of the data by contacting businesses whose details were contained in the leak.
Orange Cyberdefense analysed the data and provided an overview of the data.
- There are 25,055,050 total records contained in multiple CSV files.
- There are 21,263,393 unique records. 2,736,752 records are listed two or more times.
- The latest record date is 2 May 2020.
- There are 1,263,435 unique email addresses contained in the leaked data.
It is currently not clear if the financial and personal data which is now available has been enriched from other sources since the first leak.
What is clear is that the data contains in-depth personal and financial data about millions of South African citizens and businesses — a treasure trove for criminals.
Information Regulator chair Pansy Tlakula warned against accessing the link to the Telegram channel.
“We urge members of the public to exercise caution when coming across the link that supposedly contains a database with details of millions of South Africans,” Tlakula stated.
“It could well be that the link is a Trojan horse for other malware. We further appeal to members of the public that get sent the link to the messaging app not to distribute it any further.”
Tlakula said that if you distribute the link, you perpetuate the commission of a crime under South Africa’s laws regulating the protection of personal information, and our laws on cybercrimes.
Experian data still in the public domain
“Telegram took the right decision by removing the page with the link from its platform, however this came late because the database with the personal information of data subjects had already been downloaded more than a hundred times,” said Tlakula.
“This means this data is still available in the public domain.”
Despite assurances given to the Information Regulator that the Experian data had been secured, Tlakula said that it is clear that we have not seen the last incident of this type of exposure of people’s personal information.
She said that a massive amount of data was illegally obtained from Experian in 2020, and the evidence shows that this data remains on various platforms.
“The Regulator has a responsibility to the data subjects and the public, and we will not hesitate to take strong action should we find evidence of continued activity that compromises the security of personal information of any person,” Tlakula said.
In September of this year, the Hawks’ Serious Commercial Crime unit announced that it arrested a 36-year-old suspect in Gauteng linked to the Experian data breach.
According to the Hawks, the suspect pretended to be Tebogo Mogashoa, a director of Talis Holdings, and entered into a contract with Experian for access to the personal information that the credit bureau holds on millions of people.