Man convicted for Experian breach and trying to sell data for R4 million skips sentencing
A man found guilty of fraudulently obtaining the personal data of millions of South Africans from credit bureau Experian skipped his sentencing hearing on Wednesday. A warrant for his arrest has been issued.
According to the state’s case, Karabo Phungula not only fraudulently obtained the data but also planned to sell it for over R4 million.
News24 reports this was the second time Phungula failed to appear for his sentencing.
He failed to appear on 14 February 2023, saying he was ill. Although the court issued an arrest warrant, it was stayed until his next appearance.
Phungula was due to appear on Wednesday, 1 March, in the Specialised Commercial Crimes Court that held its hearings in the Palm Ridge Magistrate’s Court.
According to the report, prosecutor Phuti Matabane said Phungula’s lawyer also skipped the hearing citing ill health.
The magistrate issued an arrest warrant for Phungula, and his R3,000 bail was forfeited to the state.
MyBroadband contacted Phungula for comment, and he confirmed that he was absent from his sentencing hearing.
Phungula said he could not appear due to a medical condition that caused him shortness of breath. He said he could not disclose the condition.
He said he knew a warrant for his arrest had been issued and was communicating with his lawyer on what they would do next.
He declined to provide further details.
The South African Banking Risk Centre warned on 19 August 2020 that a major data breach at Experian exposed the personal information of South Africans and business entities.
Experian later issued a statement clarifying that their systems weren’t breached.
Experian South Africa CEO Ferdie Pieterse said someone had impersonated a legitimate client and fraudulently requested services from the credit bureau.
The leaked data was later found on the public Internet, making the allegedly stolen personal information available to malicious actors worldwide.
In an eNCA interview, Orange Cyberdefense South African director Dominic White explained that local privacy legislation has a deliberate loophole for credit bureaus.
“Credit bureaus are allowed to collect your personal information from multiple service providers,” White said.
“However, they don’t stop there. Anyone can get access to this data in return for money.”
When details of the wider leak of the Experian data emerged in September 2020, White highlighted the problem with South Africa’s current privacy legislation.
“The only crime here is that the fraudster didn’t pay for it, not that it was shared. And that’s the core problem with all of this — we need more control of our data.”
White also stated that any legislation is only as good as its enforcement, but that it’s important to remember that those who are breached are victims.
“We should be careful of victim-shaming,” he said.
“Law enforcement needs to be able to enforce consequences on perpetrators as much as the Information Regulator should on negligent breach victims.”
Information Regulator chair Pansy Tlakula recently revealed that her office has received over 500 notifications of data violations.
However, the regulator has not issued a single fine for violating the Protection of Personal Information Act.
Phungula’s identity as the suspect for the 2020 Experian data breach was revealed thanks to the dogged work of the late Tefo Mohapi, the founder of iAfrikan.
Mohapi also worked with Have I Been Pwned founder Troy Hunt to report that the data had been exposed to the public Internet.
MyBroadband had previously communicated with Phungula when the Direct Marketing Association of South Africa (DMASA) employed him as an IT consultant and webmaster in 2011.
He had responded to MyBroadband’s questions regarding the DMASA website being hacked.
When we contacted him for comment on Mohapi’s story, he said he had no idea what was going on.
Phungula was accused of using the identity of Tebogo Mogashoa, a director of Talis Holdings, to unlawfully gain access to the personal data of millions of South Africans.
He denied impersonating Mogashoa and said he didn’t know him or have any dealings with him.
Following the allegations, Phungula said he found himself on the receiving end of an Anton Piller order.
An Anton Piller is a court order that gives the Sheriff the right to search and seize evidence without warning the subject of the order. It is granted in civil matters, not criminal, to prevent the potential destruction of evidence.
Phungula said a Sheriff of the court arrived at his parents’ home, which is the registered address of his business, and requested all of his computing devices.
He said he went with the Sheriff to where he lives so that they could seize his computer and two phones to search them for evidence.
According to Phungula, he was targeted because of a soured business relationship between him and the credit bureau.
Since 2010, Phungula had been doing lead generation through his company Hi-Pixel Communications.
He explained that he worked as an affiliate with other lead generation companies and helped generate sales leads in return for a commission.
Some of the work he did included generating sales leads for firms in the financial services sector.
Phungula said that through Hi-Pixel Communications, he had a business relationship with the credit bureau Compuscan in 2017, which Experian acquired in 2019.
He said there was a payment dispute between him and Compuscan, as they charged him for data he did not receive.
To resolve the dispute, he signed an affidavit declaring that he had not received the data he was being billed for and provided a copy of the data in his possession.
The Special Commercial Crimes Court had since found Phungula guilty of the charges brought against him.