Security breach
(Getty)
  • Credit bureau Experian now says it has found information apparently from a leak of its database "on the internet".
  • The company handed over personal details of millions of South Africans – and bank account numbers of businesses – to someone it describes as a fraudster.
  • It initially said it had the breach contained, while failing to mention that this took three months.
  • It then said it had reason to believe the information had not spread further during that period.
  • For more stories go to www.BusinessInsider.co.za.

Information apparently drawn from a massive leak of its data is "on the internet", credit bureau Experian admitted on Tuesday night.

To date the company has insisted it had contained the breach, after handing over data on millions of South Africans, and bank account details of businesses, to someone it describes as a fraudster.

Now it says it will work to stop the further spread of the information.

As part of its investigation, "we have identified files which we believe contain Experian data relating to the incident on the internet," Experian said in a statement.

"We continue to investigate these files and will take all steps available to us to reduce further dissemination if possible."

It also claimed – in direct contradiction to a timeline it has confirmed – to have taken "immediate steps to make sure that individuals and businesses in South Africa could take steps to protect themselves" once it became aware of the breach.

Experian announced the breach publicly in August, and banks started to issue warnings to their customers that the leaked information may be used to scam them.

What the company failed to mention, until questioned by Business Insider South Africa, was that it had handed over the information in late May, and noticed it had done so nearly two months later, in July.

See also | SA’s massive data breach actually happened in May – and took nearly three months to ‘contain’

It took nearly another month to investigate and obtain a private seizure order to recover the hardware on which the data had been stored.

Only after that did Experian tell consumers about the breach. 

Having seized the hardware, the company said, it had contained the incident.

"We have been monitoring the various platforms (i.e. the dark web) to ascertain whether the data is being offered for sale. We also employed a leading digital forensic investigator to assist us with our efforts," Experian said, when Business Insider asked how it knew the information had not been sold or distributed in the nearly three months it was with the "fraudster".

"Also, from our internal investigations we ascertained that the fraudster conducts an insurance and credit services market place and uses the information to contact consumers in order to offer services to consumers."