The Experian Experience data breach & New Protection Laws

10 Sep

The recent Experian expeirence data breach is no secret. The cat is out of the bag! Over a million South Africans were notified of the data breach which took place on July 2020. On the 19th of August 2020, SABRIC announced that Experian’s data breach put the personal data of 24 million South Africans and over 790,000 businesses in jeopardy.

How Did it Happen?

It turns out that Experian unwittingly provided financial details to a South African individual fraudulently acting as a representative of one of their legitimate financial customers. The company then provided the individual with sensitive information in May 2020. In July 2020, the fraud was brought to light and the company took immediate preventative action and will be taking legal action too.

How Things Played Out

The real question is whether or not Experian has been downplaying the situation.

The company’s latest statement informed the public that Experian was not hacked as many had presumed. They also advised that no financial information had been compromised.

Data that the fraudster may have gained access to includes email addresses, ID numbers, home addresses, work information, and full names. While financial information was not provided, a fraudster could still use this information for identity theft purposes giving them deeper access to financial data.

The Legalities

According to the new Protection of Personal Information Act (POPI) recently instated, Experian was required to notify the information regular as soon as they became aware of the fraud.  The company is also meant to notify any individual whose personal information has been compromised. Experian failed on both of these fronts.

The new POPI act sets in place a series of rules and guidelines that assist companies to adopt a swift data breach response plan so that they can quickly determine what information has been lost, where that data sits and who has been affected. As soon as a company experiences a breach, as part of a POPI compliance exercise they should act immediately and to the letter.

Unfortunately, even though South Africa has the POPI act, there is currently no regulatory law in the country concerning cybercrime. The Cybercrimes Bill which was passed in July still awaits Cyril Ramaphosa’s approval. This new Bill will impose stricter laws on reporting data breaches when they happen.

The Conclusion

While the Experian data breach dust settles, we hope that we are not simply waiting to see who will be next! Hopefully, the hackers will give South African people and businesses a break for a while – let’s work together by following regulations to keep them at bay, and encrypting and backing up our data so that it’s not an easy target.

Comments are closed.