While Experian states that the data was not sensitive and was publicly available, the fact that the data was valuable enough for selling insurance and credit services means that a criminal could also utilize such data to target individuals and businesses with fraudulent service offers. South African privacy regulators also saw the criminal value in the data and have opened a case investigating the incident. This incident is a perfect example of why it is important to have a holistic approach to security within any organization. Even the strongest and most sophisticated security software is still subject to disclosure by the employees who have access to it. Security software cannot do anything to protect data when a fraudster is able to convince employees that it is okay to send them sensitive data. Regular training for employees on how to recognize social engineering attempts is vital to protect any organization. Creating strict protocols and procedures to review who sensitive data is being released to prior to it being sent can also go a long way in defending against fraud. More information on this topic can be found at: https://www.zdnet.com/article/experian-south-africa-discloses-data-breach-impacting-24-million-customers/