back to article Experian says it recovered and deleted data on 24 million South Africans after giving it to random 'marketing' person

Credit reference agency Experian has suffered what it somewhat understatedly described as a "data breach" after the firm itself transferred the details of 24 million South Africans to one individual. The credit reference agency admitted on its South Africa website that the "isolated incident" took place over what it said was a …

  1. IGotOut Silver badge

    How about a token fine..

    Say $100 or 1hr prison time for the Directors, fot each and every persons data they "lose"

  2. Flywheel
    FAIL

    All those "free" Experian subscriptions

    24 million - that's a lot of subscriptions, and of course you'll want to pay and renew after the first year!

  3. First Light Silver badge

    Comforting?

    If he feels their response is comforting, I'd love to know his idea of uncomfortable, maybe BDSM?

    How the F did anyone give the material so easily - don't they have safeguards to prevent this kind of thing?

    And how can they be sure there aren't multiple copies of this info elsewhere? You impounded an actual computer, great. What about the cloud? Going to impound that?

    As a consumer, I'm getting afraid to read these articles anymore, it's so depressing.

  4. Pascal Monett Silver badge
    Thumb Down

    I think Experian has had enough chances

    It has been foul-up after foul-up.

    Experian is itself a threat to people's privacy and financial safety.

    Enough is enough. It's time to just shut it down.

    1. Anonymous Coward
      Anonymous Coward

      Re: I think Experian has had enough chances

      All the US credit agencies seem to be in a race to the bottom. Are Experian worse than Equifax? And if we shut them all down, what will their inevitable replacements look like?

      I agree it's a problem, but I think the solution is tighter regulations and penalties for the incumbents, on the grounds that they're the devils we know.

    2. DCFusor

      Re: I think Experian has had enough chances

      They do have too much power.

      I've discovered that if you don't have a rating - you fall off their records after some years with no use of credit and always paying any bills (no strikes on that permanent record your mom warned you about) -

      Then the US social security administration will not let you create the standard "MySSA" account online for dealing with the various issues one encounters with social security.

      No big deal?

      Well, with the paperwork reduction act, they no longer really have facilities to handle you any other way. Yes, there's a phone number - you wait for an hour after an insane - 45 minute tour of the system with a robot asking questions, to get to someone who doesn't normally deal with customers and doesn't know why their phone rang. This may be good, no one else gets through because they hang up during the 2 hour wait - or their battery runs down,, and the person is often nice as they aren't on a firing line all the time.

      I've had doctors demand some info from the SSA "this week" for qualifying for a particular fee schedule - and the only way I can get that is ask via mail in writing - takes about a month.

      I called SSA to find all this out - the rep said "well, if Experian or Equifax doesn't have you, we have to assume it's some kind of ID fraud, everyone legit is a debt slave".

      The US government doesn't know their own citizenship. Let that sink in.

      Virtue is therefore penalized, and a private agency has far too much power. There's less than a snowflake's chance in hell this will change - they also sell the governments of the world data on you that they couldn't get legally otherwise, and it's the kind of data that makes Google, MS and others look like they are selling catnip in the marijuana market.

      The definition of Fascism used to be some sort of crony public-private partnership. Dunno why people are just now using that word again - it's been quite a few changes of political power and this kind of thing has been going on for all of them - not just the current objects of hate.

  5. Imhotep

    That Isn't How It Works

    How do you "recover" data from someone and then delete it? Whoever had it still has it, and it's a safe bet other people now have it also.

  6. Doctor Syntax Silver badge

    "fraudulent data enquiry"

    I thought the primary purpose of credit reference businesses was to prevent fraud.

    1. SloppyJesse
      Joke

      Re: purpose of credit reference businesses

      You forgot the icon

    2. Michael Wojcik Silver badge

      The primary purpose of any business is to make money.

      The specific value proposition of credit agencies is consumer-credit pricing, which is mostly a matter of risk assessment for lenders. Risk assessment is probabilistic and applies to aggregations of borrowers, so there's a certain level of noise - inaccuracy in the data - which is optimal for the credit agency, where its affect on their profits is less than the cost of improving accuracy. So they're happy to tolerate a certain amount of borrower-side fraud, such as identity theft. In fact, they've learned to monetize that by selling add-on products such as credit monitoring.

      Similarly, there's a point of diminishing returns on protecting the confidentiality of their data from fraudulent customers (i.e. lenders and others interested in credit ratings). Past that point, fraud becomes an externality - it's not worth them trying to prevent it.

      The only way to fix that problem is to convert the externality into a direct cost that's greater than the marginal profit of ignoring it. Sometimes market forces can do that, but the oligopoly of credit agencies in the US, and the fact that consumers have almost no effect on which ones are used by lenders and other customers, makes the market a non-starter in this case. That leaves only regulation.

  7. ecofeco Silver badge

    Oh FFS

    See title.

  8. Anonymous Coward
    Anonymous Coward

    Simple

    All you have to do is setup a small business claiming to be a credit reference agency then buy the electoral register from your local council. Who sell it stupidly, stupidly cheaply to them. Or apply to run as a councillor and you can request a copy or just visit your local library who gets given a copy.

    1. Anonymous Coward
      Anonymous Coward

      Re: Simple

      Note, for the full register you'd have to go the credit agency route as the one available in some libraries is only the open register which isn't given to them all as they struggle to keep them securely.

      1. Anonymous Coward
        Anonymous Coward

        Re: Simple

        Just what you need for mail voting fraud.

  9. fuzzie
    Paris Hilton

    But, but...

    There are some more "fun" details missing from this coverage. In the Business Insider article it's mentioned how the breach^Wsnafu happened on 24 and 27 May, but that they only detected it 22 July. And not because of some regular security audit or such. No, they tried and failed to contract the person on their mobile. It then took until 18 August for the Anton Piller raid to be executed.

    The most precious part is probably this

    "The company also reiterated that it believes the breach was not that big a deal, as the "consumer information concerned was publicly available information"."

  10. 0laf

    How long did it take to get that court order? Hours/days/weeks?

    What evidence do they have that all unauthorised copies of the data have been destroyed?

    Lets be honest, this probably took too long and the data is in an open share, darknet store or pastebin now.

  11. Kane Silver badge
    WTF?

    Huh?

    "The services involved the release of information which is provided in the ordinary course of business or which is publicly available."

    So why the big hullabaloo? Something else fishy going on at Experia, maybe?

    1. fuzzie

      Re: Huh?

      None of the items, on their own, is super secret, but in combination provides a very convenient identity-theft kit. The data included national ID numbers, telephone numbers, email addresses, physical addresses, and such. All very useful tid bits if you want to open accounts or answer know-your-customer challenge questions.

  12. JCitizen
    FAIL

    This is nothing...

    A few years ago some guy in / or from Vietnam did the same thing but way bigger; he absconded with data from the US and maybe several other countries, I don't remember the details, but the story was published on Krebs on Security.

  13. Gareth.

    Me fail English? That's unpossible

    Come on, El Reg. "24 million people's data was transferred"... you can do better than that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon