Experts on News: Experian scam leaves critical data on over 24 million customers exposed

It has been reported that the South African branch of consumer credit reporting agency Experian disclosed a data breach on Wednesday with the credit agency admitted to handing over the personal details of its South African customers to a fraudster posing as a client. While Experian did not disclose the number of impacted users, a report from South African Banking Risk Centre (SABRIC), an anti-fraud and banking non-profit, claimed the breach impacted 24 million South Africans and 793,749 local businesses.
Full story here: https://www.zdnet.com/article/experian-south-africa-discloses-data-breach-impacting-24-million-customers/

Experts Comments

August 21, 2020
Dan Piazza
Technical Product Manager
Stealthbits Technologies
Once again, the human factor was the issue rather than network vulnerabilities or lax IT. Ultimately an Experian employee was tricked into handing personal information of customers over to someone posing as a legitimate client. While Experian claims no financial or credit-related information was involved, the overall scope of the breach is still concerning. A report from the South African Banking Risk Centre claimed the breach impacted 24 million South Africans and 793,749 local businesses;.....Read More
Once again, the human factor was the issue rather than network vulnerabilities or lax IT. Ultimately an Experian employee was tricked into handing personal information of customers over to someone posing as a legitimate client. While Experian claims no financial or credit-related information was involved, the overall scope of the breach is still concerning. A report from the South African Banking Risk Centre claimed the breach impacted 24 million South Africans and 793,749 local businesses; should the Experian employee have had access to all that data? It\'s tough to say without knowing more about Experian\'s internal structure and delegation of roles, however it does sound like overprovisioned access to data may have been an issue. Access to data should be continuously audited and limited to essential personnel, with permissions assigned at the lowest possible level. Furthermore, this incident shows the ongoing need for all employees to be educated for security awareness to avoid common social engineering attacks.  Read Less
August 21, 2020
Chris Hauk
Consumer Privacy Champion
Pixel Privacy
Any compromise of personal information like this offers an opportunity for the bad guys to impersonate you to open accounts in your name or cause other financial havoc. They can also use that same personal information to trick you into providing additional information. That's why even though Experian South Africa claims no sensitive data was leaked, customers should still stay alert for any changes in their accounts, or for anyone claiming to be from a bank, credit agency, or other financial.....Read More
Any compromise of personal information like this offers an opportunity for the bad guys to impersonate you to open accounts in your name or cause other financial havoc. They can also use that same personal information to trick you into providing additional information. That's why even though Experian South Africa claims no sensitive data was leaked, customers should still stay alert for any changes in their accounts, or for anyone claiming to be from a bank, credit agency, or other financial institution asking for personal information.  Read Less
August 21, 2020
Saryu Nayyar
CEO
Gurucul
Experian is in the headlines again for suffering a major cyberattack. As a consumer credit reporting company, they are clearly a high value target for cybercriminals. Likely the company has an array of cybersecurity protections in place to prevent data breaches. Social Engineering, however, is a different animal. In this case, an individual fraudulently claimed to represent a client and gained access to Experian services. This person then made off with 24 million South African’s PII as well.....Read More
Experian is in the headlines again for suffering a major cyberattack. As a consumer credit reporting company, they are clearly a high value target for cybercriminals. Likely the company has an array of cybersecurity protections in place to prevent data breaches. Social Engineering, however, is a different animal. In this case, an individual fraudulently claimed to represent a client and gained access to Experian services. This person then made off with 24 million South African’s PII as well as information from 800,000 businesses. Fraud is malware's ugly cousin. You need different controls to detect and catch social engineering and fraudulent behavior because fraud isn't code. Fraud isn’t a malware application. People commit it.  Read Less
August 20, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
Having robust technical security controls in place is essential for all organisations today. But in addition, it is equally important for organisations to have procedures that support security, and ensure all staff receive appropriate security awareness training. We continue to see more and more high-profile attacks take place with social engineering attacks - whether that be to get an employee to hand over credentials, set up a new payment, or send sensitive data. We will likely see more.....Read More
Having robust technical security controls in place is essential for all organisations today. But in addition, it is equally important for organisations to have procedures that support security, and ensure all staff receive appropriate security awareness training. We continue to see more and more high-profile attacks take place with social engineering attacks - whether that be to get an employee to hand over credentials, set up a new payment, or send sensitive data. We will likely see more organisations targeted by social engineers, and therefore investing in staff is of paramount importance.  Read Less
August 20, 2020
Dean Ferrando
Systems Engineer Manager – EMEA
Tripwire
For those affected by this breach, I would strongly recommend they change their passwords and security information. Identity theft is just as bad as an attacker draining one’s bank account. Victims should continuously monitor their bank accounts as well as look for indicators of identity theft. The fact that this has occurred twice within a year means the organisation needs to evaluate its current security measures. Basic security hygiene needs to be adopted by all enterprises, not just.....Read More
For those affected by this breach, I would strongly recommend they change their passwords and security information. Identity theft is just as bad as an attacker draining one’s bank account. Victims should continuously monitor their bank accounts as well as look for indicators of identity theft. The fact that this has occurred twice within a year means the organisation needs to evaluate its current security measures. Basic security hygiene needs to be adopted by all enterprises, not just financial institutions and this includes secure configurations and vulnerability management, as well as performing specific threat assessment and countermeasures which will reduce the overall risk of future attacks.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.