Experian bosses who felt a comforting sense of schadenfraude at rival Equifax’s 2017 data breach are now facing their own demons following reports that Experian has suffered its own embarrassing incident, leaking the details of more than 24 million consumers.
The move follows an admission by the credit reference and marketing data giant that it inadvertently handed over the personal details of millions of South African customers to a fraudster posing as a client.
While the firm has not disclosed the number of users which have been hit, a report from South African Banking Risk Centre, an anti-fraud and banking non-profit, claimed the breach had affected 24 million South Africans and 793,749 local businesses.
Experian said it reported the incident to local authorities, who were then able to track down the culprit. Since then, the company obtained a court order, “which resulted in the individual’s hardware being impounded and the misappropriated data being secured and deleted”.
The business insists that none of the data had been used for fraudulent purposes before it was deleted and that the fraudster did not compromise its infrastructure, systems, or customer database.
In a statement, Experian said: “Our investigations indicate that an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian. Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.”
Experian insists that no financial or credit-related information was exposed. Interestingly it maintains the data was “information which is provided in the ordinary course of business or which is publicly available”, a statement which raises questions over why it charges so much for the data in the first place.
Even so, the South African data protection watchdog, The Office of the Information Regulator, has already opened an inquiry into the incident.
Experian’s most high profile breach took place in 2015, when the personal details of more than 15 million US T-Mobile customers were exposed in an online hack. But figures dating back to 2012 claimed Experian had suffered breaches against its databases no less than 80 times, with one claiming that almost 15,000 credit reports were pilfered, while it has also been found guilty of selling around 200 million identity records were known criminals.
However, despite numerous investigations into its practices, including its relationship with baby firm Emma’s Diary and its role in providing data analytics for political advertising, the company has yet to fall foul of the UK Information Commissioner’s Office.
Experian in ICO sights as Emma’s Diary gets walloped
Bounty ditches broker deals after £400,000 ICO fine
Data firms under cosh as ICO ramps up political probe
Facebook tears up data deals with Acxiom and Experian
Emma’s Diary first broker to be fingered in ICO probe
44m Brits could be affected by Equifax US data breach
Equifax rocked as mega hack exposes 143m consumers
Storm clouds gather over Experian