Credit rating agency Experian South Africa fell for a spear-phishing attack this week when a fraudster tricked the agency into sharing the personal information and other data of 24 million South Africans and 793,749 business entities.
In a press release carefully worded to play down the impact of the data security incident, Experian South Africa said on Wednesday that it was able to curtail a data incident by catching a fraduster who impersonated a legitimate client to request certain information from the agency which is publicly available.
The agency said information shared with the fraudster did not include any consumer credit or consumer financial information and that the fraudster intended to use the fraudulently-obtained data to create marketing leads to offer insurance and credit-related services.
"We have identified the suspect and confirm that Experian South Africa was successful in obtaining and executing an Anton Piller order which resulted in the individual’s hardware being impounded and the misappropriated data being secured and deleted. We are continuing the legal process in this regard, including coordination with law enforcement and relevant authorities.
"Furthermore, upon discovering the incident, Experian South Africa notified the National Credit Regulator and the Information Regulator of the incident. We have also been engaged with BASA, SABRIC and the prudential authority at the SARB," Experian South Africa said.
“I would like to apologise for the inconvenience caused to any affected parties. Our first priority is to help and support consumers and businesses in South Africa,” said Experian Africa CEO Ferdie Pietersen. However, the agency failed to state how many customers and businesses were affected and what was the nature of the information shared with the fraudster.
Sabric (South African Banking Risk Centre) that supports the banking industry in combating crime, said the spear-phishing attack exposed some personal information of as many as 24 million South Africans and 793,749 business entities to a suspected fraudster.
Sabric said that even though it is not easy for fraudsters to empty the bank account of affected customers of Experian as banks have put in place robust risk mitigation strategies to detect potential fraud on accounts, criminals can still use stolen personal information to trick people into disclosing their confidential banking details.
Commenting on the massive breach of consumer information suffered by Experian South Africa, Dean Ferrando, systems engineer manager - EMEA at Tripwire, said that those affected by the breach must change their passwords and security information immediately as identity theft is just as bad as an attacker draining one’s bank account.
"Victims should continuously monitor their bank accounts as well as look for indicators of identity theft. The fact that this has occurred twice within a year means the organisation needs to evaluate its current security measures. Basic security hygiene needs to be adopted by all enterprises, not just financial institutions and this includes secure configurations and vulnerability management, as well as performing specific threat assessment and countermeasures which will reduce the overall risk of future attacks," he added.
"Having robust technical security controls in place is essential for all organisations today. But in addition, it is equally important for organisations to have procedures that support security, and ensure all staff receive appropriate security awareness training," says Javvad Malik, security awareness advocate at KnowBe4.
"We continue to see more and more high-profile attacks take place with social engineering attacks - whether that be to get an employee to hand over credentials, set up a new payment, or send sensitive data. We will likely see more organisations targeted by social engineers, and therefore investing in staff is of paramount importance," he adds.