This is according to the Information Regulator of South Africa, a subsidiary of the department of justice, in a statement on Thursday night.
The SA Banking Risk Information Centre (Sabric) announced on August 19 that credit bureau Experian had suffered a data attack. Experian would confirm that an individual in SA, purporting to represent a legitimate client, fraudulently requested services from the company.
In the end, the data of as many as 24 million individuals and 800,000 companies were released. Now, the Information Regulator said on Thursday night, a “whistlebowler” has confirmed that information has “found its way to the dark web”.
“The whistleblower has informed the regulator that the information of natural persons that is hosted on the dark web includes their cell numbers, home and work phone numbers, employment details and identity numbers,” the statement read.
The personal information of companies includes the names of the companies, contact details, VAT numbers and banking details.
“The regulator is extremely disturbed about the information that it has received from the whistleblower, particularly because during the meeting which it held with Experian last week, its chief executive officer Mr Ferdie Pieterse assured the regulator that Experian had obtained an Anton Piller order and managed to execute the order in terms of which the personal information of data subjects was appropriately secured.”
The regulator said it had informed Experian about the information the whistleblower had provided.
“Experian responded as follows: ‘I can confirm that we have located the files on the internet and that we are currently running an analysis on the files to ascertain whether it is an exact match. However, our preliminary investigation indicates that it is reasonable to assume that it is the files that were released to the fraudster and we have issued a public notification to this effect."
“In the same response, Experian indicated that they were working on taking the files down from the internet and conducting further investigations. The regulator was further informed that the site was hosted in Switzerland."
“Later in the day, the regulator received a further correspondence from Experian, in which it confirmed that they have verified that the files on the internet were the misappropriated data." The files were reported to have been removed from the site and a further investigation is being conducted by Experian.
“Last night [Wednesday] the regulator received another correspondence from Experian confirming that the data was not on the dark web but placed on a third-party data sharing site on the internet, and that the third party has disabled the links and the data has been removed,” the statement said.
The Information Regulator said that while it was happy with the investigation and the prompt response from Experian, it was nonetheless concerned that the “personal information of data subjects continues to be vulnerable and Experian seem to be struggling to secure the protection of personal information of millions of South Africans”.
Because of the extent of the breach, the regulator said it had decided to conduct an independent review “to assess the extent of the data breach and to explore a suitable solution that will ensure that all the personal information disseminated by Experian is appropriately protected.”
Experian on Wednesday said it had identified files on the internet which it believes contain its data, after a data breach.
“We continue to investigate these files and will take all steps available to us to reduce further dissemination if possible,” the company said in a statement. “We can confirm that a criminal case was opened last week in South Africa and the matter is now in the hands of law enforcement.”