Last updated on Oct 6th, 2020 at 04:30 pm

Experian – a consumer, business and credit information services agency, experienced a major data breach which “exposed some personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster…

The breach was reported to law enforcement and the appropriate regulatory authorities, according to a statement from the company.

Experian confirmed that no consumer credit or consumer financial information was obtained in the security breach.

However, the information that was obtained could still be used in potential scams.

“These types of threats can jeopardise users’ personal information and make them subject to online identity theft and phishing attacks. With all of this personal data being exposed, it is a safe bet that scammers will look to use this information to their benefit,” says Maher Yamout, Senior Security Researcher at Kaspersky.

Subscribe to our Free Daily All4Women Newsletter to enter

Experian data breach: Suspect identified, but you may be among 24m South Africans affected

What can criminals do with personal information?

According to, personal information can create opportunities for criminals to impersonate you, but does not guarantee access to your banking profile or accounts. Criminals can, however, use this information to trick you into disclosing your confidential banking details.

They can do this in a few ways:

  • They convince you to click on a link in an SMS (smishing) or email (phishing) and disclose confidential information.
  • They try to trick you into downloading malware on your mobile device by clicking on a link or attachment in an email.
  • They call you (vishing) and pretend to be an employee form a reputable company and convince you to give them PINs and passwords.
  • They trawl through your social media profiles, collecting as much personal information as they can find.
  • They intercept or steal your bank statements, municipal bills and other account statements

Experian suspect identified, hardware impounded

“We have identified the suspect, and confirm that Experian South Africa was successful in obtaining and executing an Anton Piller order which resulted in the individual’s hardware being impounded and the misappropriated data being secured and deleted,” said a statement from the company. “We are continuing the legal process in this regard, including coordination with law enforcement and relevant authorities.”

“I would like to apologise for the inconvenience caused to any affected parties. Our first priority is to help and support consumers and businesses in South Africa,” said Experian Africa CEO Ferdie Pieterse.

WARNING: Here’s how to spot an ATM fraudster & what to do if you’re a victim

Who gave Experian SA permission to share my data with their clients?

According to, a credit bureau is an agency that collects, and researches contact, and credit information relating to individuals and businesses and makes this information available to credit providers to assist providers in making decisions on whether or not to grant credit.

Credit bureaus are not responsible for deciding whether or not a credit provider should advance credit to an individual or entity. They merely collect and synthesise relevant information about an individual or entity, including credit scores, and make this information available to credit providers.

Lending institutions include retailers and banking and other financial services institutions. Experian SA also provides this service to individuals or entities in respect of their own credit history information.

According to a statement by Experian, the suspect obtained the information from the company after “purporting to represent a legitimate client, fraudulently requested services from Experian. The services involved the release of information which is provided in the ordinary course of business or which is publicly available.”

“Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes. Our investigations also show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.”

Here’s how Yamout from Kaspersky says you can identify potential scams:

  • When reading emails, social media posts, or even getting SMS, make sure that the sender is who they say they are and keep an eye out for phishing emails.
  • Change your passwords and never use the same password for multiple accounts because if one account is jeopardised, criminals might gain access to your other accounts.
  • Affected users should assess the type of personal information leaked and try to replace it whenever possible to avoid potential risks (for example, if passport copy is leaked, try to replace it with a new one).

There are some quick wins you can do to proactively monitor your identity both online and off says Yamout: 

  • Monitor banking accounts. This may seem like a no-brainer, but you should keep a regular eye on your banking and credit card accounts. If you see transactions that you do not recognise, contact your banking institute to dispute them.
  • Enable SMS alerts. If you want to make sure that you’re up to the minute with your banking, you can set up SMS alerts when transactions are made. If you do not recognise one, you can contact the bank immediately vs. seeing this online a few days later. In this blog post, a colleague of mine discusses how his credit card was stolen and how a SMS on a fraudulent transaction helped him get his money back.
  • Sign up for an identity theft monitoring service. There are countless services out there that can help secure your online and real world identity. This type of service could be useful if you are impacted or are afraid that you may have been.
  • Be vigilant online. Be careful with sharing your information online and stay alert for any email or message you receive. For tips on avoiding phishing, check out this post.
  • If you are a business, be aware that social engineering is one of the most common attack vectors nowadays. Consider using Kaspersky ASAP training to introduce your employees to the basics of the cybersecurity hygiene.


Report identity theft to the Southern African Fraud Prevention Service (SAFPS) on 0860 101 248 or at