The South African Banking Risk Centre (SABRIC) announced on 19 August that a data breach at Experian exposed the personal banking-related information of as many as 24 million South Africans and nearly 793,749 businesses.
Following the report, Experian issued a statement of its own to clarify the nature of the incident, saying that it was not hacked and that no financial information was compromised.
While Experian was trying to downplay the severity of the leak, South African banks were providing clients with tips on how to keep themselves safe from potential identity theft and phishing attacks.
This has caused a lot of confusion and raises questions regarding the severity and potential impact of the leak on South Africans.
According to Experian, an individual in South Africa who claimed to represent a legitimate client fraudulently requested services from the company.
Experian duly provided the data the “customer” requested because that is the business it is in — it collects, enriches, and sells people’s personal data for a variety of applications including consumer credit, risk analytics, debt management, marketing services, consumer insights, and direct marketing (i.e. spam).
Experian is not unique. Credit bureaus around the world offer the same services.
The real issue – You have no control over who can access your data
In other words, based on Experian’s explanation, there is nothing unusual about the personal data it gave to the alleged fraudster. The issue is that the person obtained the data under false pretences.
Experian assured banking clients that although it had brought to bear the full might of the law, the perpetrator was not trying to do anything particularly nefarious.
“Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services,” Experian said in its statement.
“We can confirm that no consumer credit or consumer financial information was obtained. Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes.”
Experian said that upon discovering the incident it notified the National Credit Regulator and the Information Regulator, and engaged with BASA, SABRIC, and the prudential authority at the SARB.
What many people may not realise is that this is an example of South Africa’s protection of personal information regime working as intended.
The Protection of Personal Information Act (POPIA) took effect from 1 July 2020 and it contains provisions that cover the disclosure of incidents where people’s personal data has been exposed.
While POPIA does place some additional responsibilities on companies who process people’s personal data in South Africa, there is nothing stopping credit bureaus from gathering and selling your personal information.
The real question South Africans should ask is: Why is it still possible for legitimate information brokers like credit bureaus to sell your personal data without telling you who they are selling it to?
What is the risk to me?
Assuming that this data leak indeed did not include credit or financial information and that the alleged fraudster did not distribute the data but intended to use it for direct marketing, then this leak is not serious at all.
However, if the alleged fraudster shared that data with someone who had greater ambitions than sending spam, that could put people’s identities at risk.
SABRIC expressed this well in its original statement to the media on the Experian incident.
“The compromise of personal information can create opportunities for criminals to impersonate you but does not guarantee access to your banking profile or accounts,” SABRIC said.
“However, criminals can use this information to trick you into disclosing your confidential banking details.”
How to protect yourself
SABRIC and Experian offered useful advice on steps you can take to protect yourself from identity theft:
- Monitor your credit report. This will let you know if someone is trying to apply for credit in your name. Experian (My Credit Check) and XDS (Splendi) currently offer unlimited free credit reports. TransUnion lets you request one free credit report every 12 months.
- If you suspect that your identity has been stolen, immediately apply for a free Protective Registration listing with Southern Africa Fraud Prevention Service (SAFPS). You can contact [email protected], or request a listing via the SAFPS website.
In addition to the above two steps, banks and security experts have offered the following general advice to protect your identity, especially after a data leak:
- Monitor your accounts. Keep an eye on your bank and credit card accounts. If you see transactions that you do not recognise, contact your bank to query them.
- Enable SMS alerts. Banks let you customise when you receive SMS alerts for transactions on your account. This may attract a fee, so ensure you know how much it will cost to receive SMS alerts for lower value transactions.
- Sign up for an identity theft monitoring service. XDS and TransUnion offer identity monitoring services in South Africa. TransUnion’s is priced at R99 per month and includes SMS and e-mail alerts if your information is detected on the dark web, and identity theft insurance to the value of R100,000.
- Be vigilant online. All of the usual advice for staying safe online still applies. Don’t open any strange attachments or click on any links in e-mails, SMS messages, or WhatsApps claiming to be from your bank, SARS or any similar institution that handles your personal information. Rather type their website addresses directly into your browser’s URL bar. Beware messages that try to trick you into clicking on links or opening attachments through too-good-to-be-true offers or fear.
- Change your online banking passwords, if you want. Though no bank data was leaked, change your online banking passwords if it will make you feel safe. Remember to choose a strong password and do not reuse a password you have used elsewhere.
This is an opinion piece.