The most astounding thing about the Experian security breach of 24-million South Africans’ personal data is not that the credit agency willingly gave the information to a "fraudster", but that Experian will escape unpunished because of years-long delays in finalising legislation.
The Protection of Personal Information (Popi) Act only came into effect in July this year and gives companies until next July to comply with regulations.
That means the 24-million consumers and 800,000 businesses whose data was handed to a "fraudster" by Experian have no recourse. Similarly, the so-called Master Deeds data breach — where an estimated 60-million South Africans’ details were exposed in 2018 — also won’t be penalised.
The Popi Act now finally has some real teeth to protect people’s data. If it had been immediately applicable, Experian could have been fined as much as R10m, while its directors could have been jailed for as long as 10 years.
Experian says the breach happened because of a "fraudulent data inquiry". But it took 2½ months before Experian acted, after its "investigations indicate that an individual in SA, purporting to represent a legitimate client, fraudulently requested services from Experian". Though it argues that the "services involved the release of information which is provided in the ordinary course of business or which is publicly available", it claims "no consumer credit or consumer financial information was obtained".
Experian claims the misappropriated data has not "been used for fraudulent purposes … the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services".
Experian is the world’s largest credit agency and appears to have been tricked by someone claiming to be a legitimate client.
But its explanations leave a great deal of speculation about what could have been done with the data. Even though Experian says the situation has been "contained", the "fraudster" had access to the data for nearly three months.
The breach actually happened in May, as Business Insider has reported. The data that was handed over on May 24 and May 27 included ID numbers, phone numbers, and physical and e-mail addresses.
Experian only picked up that the data had been "fraudulently" obtained on July 22, a staggering 57 days later. It obtained an Anton Piller order to seize the computer hardware 84 days after the breach, on August 18.
There goes its global reputation. Especially after the credit agency explained to Business Insider what had happened. "The fraud was detected once Experian struggled to contact the representative of the company on his mobile and then attempted to make contact on the company’s landline. The person who was impersonated confirmed that he did not have any dealings with Experian."
The irony is astonishing. A company set up to check the creditworthiness of everyone else failed to check the identity of a potential client.
In Experian’s defence, it isn’t the only global firm to have been hoodwinked recently. The brazen hack last month of 130 high-profile Twitter accounts — including those of Barack Obama, Elon Musk, Bill Gates, Kanye West and US presidential hopeful Joe Biden — was achieved with similar guile. Graham Ivan Clark, a 17-year-old in Florida, convinced a Twitter staffer that he was a technician and got the login details for the social media giant’s account dashboard. He made an estimated $200,000 by posting a bitcoin scam, but his hacker shenanigans will probably cost Twitter $250m in fines.
The technique used in both of these breaches is known as social engineering. Simply put, it’s a way to gain access to something by convincing someone they should legitimately help the hacker. To do that the hacker needs to know enough relevant, often intimate, information to pull off the con: "I work with Jack in IT but he’s off sick and I can’t find his login details so that I can fix that account problem."
The con just needs to be plausible enough to convince the mark to give over those details. It usually involves a plea that the conman will get into trouble and plays on human empathy and sympathy, but also gullibility.
In the 1990s the FBI put Kevin Mitnick on its Most Wanted list when he used the same technique. Mitnick, the famed hacker who inspired the 1983 classic film WarGames, used social engineering to gain access to computer firm DEC’s network, as well as Motorola and others.
It’s an unusual return to the early roots of hacking in the 1980s, where "just for fun" hackers would break into networks "to prove they [were] able to develop this kind of code", says Eugene Kaspersky.
The founder and CEO of the eponymous internet security firm has watched the evolution of hacking from such "vandals and hooligans" into a full-blown "cyberstorm".
The tools of the hacking trade have also evolved with the times, he warned in a recent interview: "In the 1990s we had bicycles, and now we have the space shuttle." (Watch the interview here: youtu.be/wE_TlAuwqX4)
Maher Yamout, a senior security researcher at Kaspersky, added this week: "Such types of threats can jeopardise users’ personal information and make them subject to online identity theft and phishing attacks. With all of this personal data being exposed, it is a safe bet that scammers will look to use this information to their benefit."
The number of cyberattacks is growing and the work-from-home era makes it easier for hackers, because most people don’t have the kind of security at home that they do at work. It’s a brazen new era of cybercrime — just ask Momentum, the City of Joburg and its City Power division, which have experienced ransomware attacks recently.
SA had the third-highest number of cybercrime victims last year, according to Accenture, which found the country had 577 malware attacks per hour, an increase of 22% over the previous year. It found R2.2bn was lost due to cyberattacks in SA, including from mobile banking app fraud.
If you aren’t already paranoid about your personal data, now is a good time to start tightening up your security.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.