Experian reported on Wednesday that their South African branch suffered a data breach recently. The data loss was not the result of a systems breach or a complex intrusion into their systems, but rather the result of social engineering by a clever fraudster. Experian worked with local authorities to report the incident and an investigation by South African authorities resulted in the arrest of the individual accused of being responsible. According to Experian, the arrest resulted in “the individual’s hardware being impounded, and the misappropriated data being secured and deleted.” Experian did not disclose how many customers were impacted by the data breach, however a report from the South African Banking Risk Centre (SABRIC) claimed that the breach impacted 24 million South Africans and 793,749 local businesses. The fraudster does not currently appear to have sold any of the data prior to the arrest and seems to have intended to use the data for marketing leads for insurance and credit-related services. Experian claims that the exposed data was all publicly available data that is “provided in the ordinary course of business.”
Analyst Notes
While Experian states that the data was not sensitive and was publicly available, the fact that the data was valuable enough for selling insurance and credit services means that a criminal could also utilize such data to target individuals and businesses with fraudulent service offers. South African privacy regulators also saw the criminal value in the data and have opened a case investigating the incident. This incident is a perfect example of why it is important to have a holistic approach to security within any organization. Even the strongest and most sophisticated security software is still subject to disclosure by the employees who have access to it. Security software cannot do anything to protect data when a fraudster is able to convince employees that it is okay to send them sensitive data. Regular training for employees on how to recognize social engineering attempts is vital to protect any organization. Creating strict protocols and procedures to review who sensitive data is being released to prior to it being sent can also go a long way in defending against fraud. More information on this topic can be found at: https://www.zdnet.com/article/experian-south-africa-discloses-data-breach-impacting-24-million-customers/
