Information for businesses

Experian fraudulent data incident

NOTIFICATION OF UNAUTHORISED ACCESS OF PERSONAL INFORMATION ON BUSINESSES, IN TERMS OF SECTION 22 OF THE PROTECTION OF PERSONAL INFORMATION ACT, 4 OF 2013:

Experian South Africa (“Experian”) is a registered credit bureau with the National Credit Regulator. We build and manage databases containing personal information of South African businesses and individual persons. Our business bureau provides businesses, including banks, with information to help them make decisions about extending credit and the associated lending terms.

On 22 July 2020 Experian become aware of an isolated incident involving a third party obtaining information on South African legal entities and consumers on 24 and 27 May 2020.

Experian followed-up with the purported client for bills outstanding on 30-day terms and when no payment was forthcoming entered into a recovery process. Experian subsequently conducted further checks and at the point determined that the transaction was fraudulent. Experian immediately initiated an internal investigation and shortly thereafter informed the necessary authorities as well as the banks.

Our investigations pointed to a potential suspect which enabled us to consider all appropriate legal action, including the Anton Piller application. We thus undertook to obtain and execute the Anton Piller order in order to impound hardware that we were able to locate and ensure that the data relating to specific Experian key words on such hardware was secured and deleted. An Anton Piller application is designed to secure evidence that would otherwise be destroyed if the person in possession of the evidence is given notice of the application.  It was therefore not possible to disclose the incident to the public prior to the execution of the Anton Piller order, the execution of which was successfully completed on Tuesday 18 August. We then proceeded to provide notification via our website and a public media statement on 19 August 2020.

 

Description of the consequences of the Incident

The table below outlines what information the fraudster provided Experian with and the information that Experian provided back to the fraudster.

Information Category

Provided by Fraudster

Returned by Experian

Kim

No

Provided where available

Vat Matched Flag

No

Provided where available

Debtor Name

No

Provided where available

Legal Name

Yes

Provided where available

Alt Name Type

No

Provided where available

Alt Name

No

Provided where available

Name Change Type

No

Provided where available

Changed Name

No

Provided where available

Entity

No

Provided where available

Company Status

No

Provided where available

Reg Number

No

Provided where available

Report Date

No

Provided where available

Enquiry Amount

No

Provided where available

Enquiry Terms

No

Provided where available

Bank Code

No

Provided where available

Bank Code Date

No

Provided where available

Sicc Source

No

Provided where available

Sicc

No

Provided where available

Sicc Description

No

Provided where available

Employees

No

Provided where available

Holding Company

No

Provided where available

Turnover Range

No

Provided where available

Import/Export

No

Provided where available

Fleet

No

Provided where available

Score

No

Provided where available

Score Comment

No

Provided where available

Judgements (Yes/ No indicator)

No

Provided where available

R/D Cheque

No

Provided where available

Adverse Reference (Yes / No indicator)

No

Provided where available

Telephone

No

Provided where available

Postal Address

Yes

Provided where available

Street Address

Yes

Provided where available

Province

Yes

Provided where available

Principles (Count)

No

Provided where available

Branch

No

Provided where available

Liquidations

No

Provided where available

Premises

No

Provided where available

Vat Number/ flag

No

Provided where available

Ultimate Holding Company

No

Provided where available

Last JU Date

No

Provided where available

Auditor

No

Provided where available

Fax

No

Provided where available

Email

No

Provided where available

Bankers

No

Provided where available

Account#

No

Provided where available

Branch

No

Provided where available

BEE flag (Yes / No indicator)

No

Provided where available

NCA (Yes / No indicator)

No

Provided where available

Our investigations do not indicate that the misappropriated data has been used for fraudulent purposes and it appears that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services. We advise that businesses remain vigilant to ensure they do not fall victims of social engineering or identity theft.

 

Advice or recommend measures that be taken by the data subject to mitigate the possible adverse effects of the unauthorized data access

We recommend that businesses remain vigilant and regularly view their credit profile.

Experian is offering free Business Alerts which provide you with immediate notifications if there is any event or change on your company profile held on the Experian database, including CIPC updates.

To activate these Business Alerts and receive access to your free Business Credit Report, please email ServiceDeskSouthAfrica@experian.com. One of our consultants will contact you to verify your details in order to initiate the alerts. The complimentary Business Alerts service will be provided to you until 31 December 2023.

 

Description of what Experian has done to address the incident

Out of an abundance of caution we have engaged your bank to alert them and to enable them to potentially monitor any abnormal activity on your bank account.

Experian can confirm that the appropriate technical and organisational measures against any further unlawful or unauthorised processing of personal information have been implemented. These include improving its onboarding of new clients’ process through the implementation of additional verification and authentication controls including verifying information with non-public third-party sources. Experian has furthermore conducted a risk assessment as well as a compliance review and remedial actions were immediately put in place. These controls are further being enhanced and we confirm that we will audit the effectiveness of these controls through an independent auditor. 

Experian South Africa was successful in obtaining and executing an Anton Piller order. The Anton Piller allows for the perpetrator’s hardware that we were able to locate being impounded and the data relating to specific Experian key words on such hardware being secured and deleted. We are continuing the legal process in this regard, including coordination with law enforcement and relevant authorities.

We can confirm that a criminal case was opened in South Africa and the matter is now in the hands of law enforcement. We continue to co-operate with law enforcement by supporting their investigation and providing them with the necessary information as requested to bring the Suspect to justice.

Since Experian became aware of the fraud on 22 July 2020, our Global Security teams have been monitoring various platforms (including the dark web) to ascertain whether the data was being offered for sale. We also employed a leading digital forensic investigator to assist us with our efforts. To-date, our Global Security teams have not as yet observed the data being for sale on the internet and at this point there is no indication that any misappropriated data has been used for fraudulent purposes.

On 1 September our ongoing investigation identified files which we subsequently confirmed contained Experian data relating to the incident reported in the media on 19 August on the internet via a restricted file sharing site. We notified the Information Regulator and NCR of this and published a statement.

Our Global Security team immediately engaged the third-party site and confirmed that these files can no longer be accessed via the private file sharing site that they were uploaded to. Experian Global Security Operations Centre continues to investigate any additional sources of the dataset online and continues to monitor the internet for further activity. Our global security teams have confirmed that they still have not as yet observed the data being for sale on the internet and at this point there is still no indication that this data has been used for fraudulent purposes.

We continue to investigate this incident with a full team of experts, working closely with law enforcement agencies and the Regulators, such as the Information Regulator and the National Creditor Regulator.

 

Identity of the person who has accessed the data

Experian believes it has identified the suspect, who is an adult South African male. The suspect operates a business in the direct marketing services industry in South Africa. Due to the potential impact on the criminal case, we are not permitted to disclose the identity of the suspect until such a time as law enforcement agencies think that it is appropriate to do so.

 

Indicate how a data subject, who did not receive such notification, can verify if his/her/its personal information was also compromised.

In order to determine whether your business’s information was compromised, please email ServiceDeskSouthAfrica@experian.com

Once again, we apologise for the unauthorised disclosure arising from this incident.

Our priority remains on supporting consumers and businesses in South Africa. We have updated the Experian South Africa website with a frequently asked questions document for your reference https://www.experian.co.za/fraudulent-data-incident/faqs

 

Contact Us

Should you have any immediate queries please email ServiceDeskSouthAfrica@experian.com or contact us on 0861 3973 7426 between 08:00 – 17:00 Mondays to Fridays or visit https://www.experian.co.za/fraudulent-data-incident for further information.

 

Contact information of the South African Information Regulator should you require any further assistance:

Attention:                     Adv Kelaotswe

Physical address:       33 Hoofd Street, Forum III 3rd Floor Braampark, Braamfontein, Johannesburg

Postal Address:          P.O Box 31533, Braamfontein, Johannesburg, 2017

Tel:                               +27 (0) 10 023 5200,

Email:                          enquiries@inforegulator.org.za

Website:                      https://www.justice.gov.za/inforeg/

For any queries, you can contact us at:

Telephone

0861 3973 7426