Police arrest hacker who stole data of 23 million South Africans
The Hawks’ Serious Commercial Crime unit arrested a 36 years old suspect this morning in Gauteng following an investigation into the data breach at credit bureau Experian in August 2020, the South African Police Service said in a statement.
According to the Hawks, the suspect pretended to be Tebogo Mogashoa, a director of Talis Holdings, and entered into a contract with Experian for access to the personal information that the credit bureau holds on millions of people.
“The suspect then proceeded to download approximately 23 million personal data records and 727,000 business records. The suspect then attempted to sell these records at about R4.2 million,” the Hawks stated.
“Consequent to his arrest, the suspect is expected to appear in the Palm Ridge Magistrates court today, 15 September 2021 on charges of fraud and the contravention of the Electronic Communications and Transactions Act.”
On 19 August 2020, the South African Banking Risk Centre (Sabric) announced a data breach at consumer, business, and credit information services agency Experian.
Experian’s major clients include several South African banks. The company hold highly sensitive financial and personal information of local citizens and businesses.
Following the Sabric announcement, Experian issued a statement saying it was not hacked.
Experian South Africa CEO Ferdie Pieterse said the data breach exposed the personal details of 23.4 million South Africans and 607,000 businesses.
He said the security breach occurred when an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian.
The perpetrator used social engineering techniques to put himself forward as a known customer and convinced Experian, in the normal course of business, to provide him with the records of 23.4 million individuals.
According to Pieterse, the fraudster already had the names, surnames, and ID numbers of people and Experian only provided contact information to the fraudster – telephone numbers and addresses.
While Pieterse downplayed the severity of the breach, security experts highlighted that it poses a big security risk to individuals and businesses.
J2 Software managing director John Mc Loughlin said this is a serious data breach which should concern people.
He highlighted that the information breach already happened in May and the data has been “out there for months”.
“We live in a digital world. That data can be absolutely anywhere, and that is the information which hackers need to target people for identity theft, SIM swaps, and other fraud,” he said.
This “highly valuable and rich data set” provides fraudsters with the means to launch attacks against people.
Data available online
It was not long before this data found its way to the Internet.
The Information Regulator of South Africa raised concerns in September last year that data from the Experian data leak was found on the dark web.
It said the data includes the cellphone numbers, home numbers, work phone numbers, employment details, and identity numbers of individuals.
Company data available reportedly includes the names of companies, as well as their contact details, VAT numbers, and banking details.
MyBroadband received information from an anonymous source that the Experian data breach file was widely available online.
“The Experian data breach file is all over the web. I have managed to locate the file at a number of locations,” he said.
With the help of security experts, MyBroadband verified that the data is indeed available through a simple download link online and not only on the dark web.
This means anyone with a browser and Internet connection can download the data, which is contained in multiple CSV files.
MyBroadband also verified the accuracy of the data by contacting businesses whose details are contained in the leak.
The data which is available online
Orange Cyberdefense analysed the data and provided an overview of the data which is now freely available online.
There are 25,055,050 total records contained in numerous CSV files.
There are 21,263,393 unique records. 2,736,752 records are listed two or more times.
The latest record date is 2 May 2020.
There are 1,263,435 unique email addresses contained in the leaked data.
It is currently not clear if the financial and personal data which is now available has been enriched from other sources since the first leak.
What is clear is that the data contains in-depth personal and financial data about millions of South African citizens and businesses – a treasure trove for criminals.