South Africa’s Information Regulator says it has received information from a whistle-blower that the personal information of South Africans exposed by the Experian data breach has found its way to the ‘dark web’.
The dark web allows criminals to anonymously sell stolen personal info, along with all sorts of other contraband, such as illicit drugs and weapons.
The whistle-blower said that the personal information posted includes:
- Cellphone numbers;
- Home phone numbers;
- Work phone numbers;
- Employment details; and
- Identity numbers.
The personal information of companies includes:
- Names of the companies;
- Contact details;
- VAT numbers; and
- Banking details.
The regulator said is ‘extremely disturbed’ about the information that it has received from the whistle-blower – especially after it was reassured by Experian that the personal information of data subjects was appropriately secured.
“The information which Experian has provided to the regulator so far raises serious concerns, in so far as protection of personal information is concerned,” it said.
“In an effort to explore a suitable solution that will ensure the appropriate protection of personal information of data subjects, the regulator has decided to conduct an independent review to assess the extent of the data breach and to explore a suitable solution that will ensure that all the personal information disseminated by Experian is appropriately protected.”
As Experian’s website is hosted in Switzerland, the regulator said it will bring the data breach to the attention of its counterpart in Switzerland, the Federal Data Protection and Information Commissioner, since the breach involves cross border flow of personal information.
The regulator said it received further correspondence from Experian in which it confirmed that they have verified that the files on the internet were the misappropriated data.
The files were reported to have been removed from the site and a further investigation is being conducted by Experian.
Another correspondence from Experian indicated that the data was not on the dark web but placed on a third-party data sharing site on the internet, and that the third party has disabled the links and the data has been removed.
The regulator said that Experian has undertaken to cooperate with the Regulator in the review process.
Experian, a consumer credit reporting company, said on 19 August that it experienced a breach of data which has exposed some personal information of as many as 24 million South Africans, and 793,749 business entities, to a suspected fraudster.
The breach has been reported to authorities, and South African banks have been working with Experian and South African Banking Risk Centre (Sabric) to identify which of their customers may have been exposed to the breach and to protect their personal information, even as the investigation unfolds.
While it was not specified how this information was posted on the dark web, it is possible that this data may now be sold to illicit buyers. A 2018 report found that it costs just R14,000 to buy all your personal details from the dark web.
Hacked financial details are by far the most commonly listed items, and credit cards, in particular, are the most valuable, the report found.