Didn't they fire that one guy whom they said was solely responsible for the previous breach?
Thought that was going to ensure it would never happen again...
Personal data on 24 million South Africans, wrongfully sold by Experian to a person it claimed had "pretended" to represent a "legitimate client", is now not only circulating on the dark web – it's also on clearweb file-sharing sites, according to reports. Despite assurances from Experian in August that it had obtained an …
> Despite assurances from Experian in August that it had obtained an Anton Piller court order
That must have come as a complete shock: a proven liar who who previously lied to Experian also lied to the Court about agreeing to abide by the order.
What's that saying? Fool me once...
One has to ask whether it's reasonable and proportionate for any one company to collect all this information without any choice on the part of the data subject. Just for example, in what way are "employment information which includes place of work, title, start date and work contact details" relevant to current credit rating, reporting on which which is the only even notionally legitimate function of a credit reference agency?
Speaking as a former employee of Experian. They do a lot more than just credit references. They collate a vast amount of data on everyone and everything and use it for lots of things.
1. Marketing purposes e.g. if company X wants to send out junk mail, who are the people who are more likely to respond positively to it? A crude example would be not to send out mailings about the latest top of the range Mercedes to people living on a council estate; while you might get some positive hits, you will get more bang for your advertising buck by mailing to those with certain jobs, residential areas, life aspirations and incomes.
2. Where to build stuff? A huge amount of analysis goes into where to build things like a McDonalds. The number of people who would walk there at lunch time, office workers, school kids, shoppers etc based on analysis of the number of each type of potential customer and their distance from the proposed store, taking into account competition for other burger chains. If there is to be a drive in, detailed analysis of the traffic flows around the area and how likely people would be to use it.
Experian have their fingers into every data source available. I was shocked at the colossal amount of data they have on every individual and household in the country. We all have our own unique ID number. When collated it is a goldmine for businesses of many types. They have everything from electoral registers to data on who have bought what new car from what dealership to how many kids (and ages) are in the household, what schools they are likely to attend etc. They were also looking at collating data on shopping via loyalty cards, so they would also know what you buy, where and when - not sure if that one ever got off the ground as the amount of data involved was pushing the limits at the time.
Have you ever come across area profiles on the net? Experian is the powerhouse behind the data. e.g. you put in a post code and you get a breakdown of the crime rate in that area, the house prices, average household incomes and various other data.
I could go on, but you get the basic idea.
This happened in South Africa where the ANC government just increased the state debt by taking a huge loan for COVID-19 purposes that was immediately gobbled by the corruption that has brought the country to the brink of disaster.
Why would anyone expect that there is the moral will to stop this?
What is South Africa going to do about it?
As they don't have a GDPR-style data protection act they probably can't fine them enough for them to notice.
I guess it's now contempt, which might let them imprison the top brass. That might make them sit up and pay attention.
Personally charging the brass is the only thing that will compel companies to take this kind of thing seriously, I'm afraid.
Years ago Massachusetts had a bill that would hold executives personally responsible if they either knew about security issues, could/should have known about them, or failed to implement proper measures to counter them.
Unfortunately, the bill did not pass.
South Africa does have a GDPR-style PoPI (Protection of Personal Information) Act. It's been long coming, but as I recall, it's not fully in effect yet. The laws dealing with company malfeasance do allow for the board and/or directors to be help personally criminally liable. Of course that would probably become some local mid- or country-level scapegoat, but it would at least be a god start.