It has been reported that the South African branch of consumer credit reporting agency Experian disclosed a data breach on Wednesday with the credit agency admitted to handing over the personal details of its South African customers to a fraudster posing as a client. While Experian did not disclose the number of impacted users, a report from South African Banking Risk Centre (SABRIC), an anti-fraud and banking non-profit, claimed the breach impacted 24 million South Africans and 793,749 local businesses.
Full story here: https://www.zdnet.com/
Once again, the human factor was the issue rather than network vulnerabilities or lax IT. Ultimately an Experian employee was tricked into handing personal information of customers over to someone posing as a legitimate client. While Experian claims no financial or credit-related information was involved, the overall scope of the breach is still concerning. A report from the South African Banking Risk Centre claimed the breach impacted 24 million South Africans and 793,749 local businesses; should the Experian employee have had access to all that data? It\\\’s tough to say without knowing more about Experian\\\’s internal structure and delegation of roles, however it does sound like overprovisioned access to data may have been an issue. Access to data should be continuously audited and limited to essential personnel, with permissions assigned at the lowest possible level. Furthermore, this incident shows the ongoing need for all employees to be educated for security awareness to avoid common social engineering attacks.
Any compromise of personal information like this offers an opportunity for the bad guys to impersonate you to open accounts in your name or cause other financial havoc. They can also use that same personal information to trick you into providing additional information.
That\’s why even though Experian South Africa claims no sensitive data was leaked, customers should still stay alert for any changes in their accounts, or for anyone claiming to be from a bank, credit agency, or other financial institution asking for personal information.
Experian is in the headlines again for suffering a major cyberattack. As a consumer credit reporting company, they are clearly a high value target for cybercriminals. Likely the company has an array of cybersecurity protections in place to prevent data breaches. Social Engineering, however, is a different animal. In this case, an individual fraudulently claimed to represent a client and gained access to Experian services. This person then made off with 24 million South African’s PII as well as information from 800,000 businesses. Fraud is malware\’s ugly cousin. You need different controls to detect and catch social engineering and fraudulent behavior because fraud isn\’t code. Fraud isn’t a malware application. People commit it.
Having robust technical security controls in place is essential for all organisations today. But in addition, it is equally important for organisations to have procedures that support security, and ensure all staff receive appropriate security awareness training. We continue to see more and more high-profile attacks take place with social engineering attacks – whether that be to get an employee to hand over credentials, set up a new payment, or send sensitive data.
We will likely see more organisations targeted by social engineers, and therefore investing in staff is of paramount importance.
For those affected by this breach, I would strongly recommend they change their passwords and security information. Identity theft is just as bad as an attacker draining one’s bank account. Victims should continuously monitor their bank accounts as well as look for indicators of identity theft. The fact that this has occurred twice within a year means the organisation needs to evaluate its current security measures. Basic security hygiene needs to be adopted by all enterprises, not just financial institutions and this includes secure configurations and vulnerability management, as well as performing specific threat assessment and countermeasures which will reduce the overall risk of future attacks.