Here We Go Again: Experian Responsible for a Data Breach That Affects 24 Million

As it turns out, you don't always need to breach an organization's security in order to gain unauthorized access to a vast trove of information. Experian, a multi-national credit reporting bureau, proved that sometimes, all you need to do is ask politely.

Last week, Experian's South African branch admitted that a data breach had resulted in the leak of some consumer information. It was quick to point out, however, that the incident didn't involve any hacking. Instead, a scammer impersonated one of Experian's clients, and an employee of the credit bureau gave away the data willingly.

If we had to rank cybersecurity incidents by the embarrassment they cause, this one would go rather near the top. You'd expect that the victim would hold its hand up, admit that it made a silly mistake, and promise to take measures in order to avoid similar incidents in the future. It looks like Experian has other ideas of handling a data breach, though.

Experian tries to downplay the problem

Instead of talking about the changes implemented to prevent such data breaches, Experian's statement emphasizes the fact that no credit or financial information has been exposed. According to the credit bureau, the data that was handed over is usually provided in "the ordinary course of business," and the scammer that took it intended to use it in order to organize a marketing campaign. The said scammer has been identified, their "hardware" has been impounded, and the leaked data has been deleted. All the relevant regulators and law enforcement agencies have been informed, and although the investigation is still ongoing, there's no evidence of the exposed data being misused.

Finally, the credit bureau urged consumers to check their credit reports for free at www.mycreditcheck.co.za, and Ferdie Pieterse, Experian Africa's CEO, apologized about what he referred to as "the inconvenience."

It's a lot more than an inconvenience

Experian is no stranger to data security issues. In what has to be one of 2015's biggest cybersecurity incidents, hackers compromised the servers of the credit bureau's US branch and stole the personal details of as many as 15 million people. In 2013, one of its subsidiaries was caught up in an ID theft investigation that caused a lot of controversy. These two incidents left many lessons to be learned, but judging by the way Experian is handling the recent data breach, it has drawn nothing from them.

Even if you decided to ignore the fact that Experian allowed one of its employees to be tricked into giving away a lot of personal information, you have to look at the way the bureau is disclosing the issue, and you'll see that there are many problems with it.

The statement does say, for example, that the information that was leaked is either publicly available or is regularly shared with other organizations as well, but it makes no attempt to disclose the precise nature of the data. People don't know which of their personal details got exposed, and they have no way of knowing what sort of attacks they need to be wary of. Experian didn't say when the incident happened, either.

Worse still, however, although it apologized to the affected parties, it forgot to mention how many of them there are out there. Thankfully, the South African Banking Risk Centre (SABRIC), which is involved in the investigation, was more generous with the details. According to it, the fraudster got their hands on the information of 24 million South Africans and just under 800 thousand business entities.

SABRIC says that it's currently working with banks and Experian to identify the affected individuals. In the meantime, everyone is advised to be suspicious of any requests for personal information coming via emails, text messages, or phone calls.

You might be wondering why Experian failed to disclose all that information in its statement. Unfortunately, your guess is as good as ours.