back to article Personal data from Experian on 40% of South Africa's population has been bundled onto a file-sharing website

Personal data on 24 million South Africans, wrongfully sold by Experian to a person it claimed had "pretended" to represent a "legitimate client", is now not only circulating on the dark web – it's also on clearweb file-sharing sites, according to reports. Despite assurances from Experian in August that it had obtained an …

  1. Drew Scriver Silver badge

    Didn't they fire that one guy whom they said was solely responsible for the previous breach?

    Thought that was going to ensure it would never happen again...

    1. Anonymous Coward
      Anonymous Coward

      Maybe that's the guy they were selling the data to?

      Just curious :)

  2. Eclectic Man Bronze badge

    Cynically

    Just wait, they'll claim it is a back up:

    https://www.theregister.com/2020/09/14/who_me/

  3. 2+2=5 Silver badge
    Facepalm

    Are you Experianced?

    > Despite assurances from Experian in August that it had obtained an Anton Piller court order

    That must have come as a complete shock: a proven liar who who previously lied to Experian also lied to the Court about agreeing to abide by the order.

    What's that saying? Fool me once...

  4. Mike 137 Silver badge

    The $64,000 question

    One has to ask whether it's reasonable and proportionate for any one company to collect all this information without any choice on the part of the data subject. Just for example, in what way are "employment information which includes place of work, title, start date and work contact details" relevant to current credit rating, reporting on which which is the only even notionally legitimate function of a credit reference agency?

    1. Anonymous Coward
      Anonymous Coward

      Re: The $64,000 question

      Speaking as a former employee of Experian. They do a lot more than just credit references. They collate a vast amount of data on everyone and everything and use it for lots of things.

      1. Marketing purposes e.g. if company X wants to send out junk mail, who are the people who are more likely to respond positively to it? A crude example would be not to send out mailings about the latest top of the range Mercedes to people living on a council estate; while you might get some positive hits, you will get more bang for your advertising buck by mailing to those with certain jobs, residential areas, life aspirations and incomes.

      2. Where to build stuff? A huge amount of analysis goes into where to build things like a McDonalds. The number of people who would walk there at lunch time, office workers, school kids, shoppers etc based on analysis of the number of each type of potential customer and their distance from the proposed store, taking into account competition for other burger chains. If there is to be a drive in, detailed analysis of the traffic flows around the area and how likely people would be to use it.

      Experian have their fingers into every data source available. I was shocked at the colossal amount of data they have on every individual and household in the country. We all have our own unique ID number. When collated it is a goldmine for businesses of many types. They have everything from electoral registers to data on who have bought what new car from what dealership to how many kids (and ages) are in the household, what schools they are likely to attend etc. They were also looking at collating data on shopping via loyalty cards, so they would also know what you buy, where and when - not sure if that one ever got off the ground as the amount of data involved was pushing the limits at the time.

      Have you ever come across area profiles on the net? Experian is the powerhouse behind the data. e.g. you put in a post code and you get a breakdown of the crime rate in that area, the house prices, average household incomes and various other data.

      I could go on, but you get the basic idea.

    2. Alister Silver badge

      Re: The $64,000 question

      Haven't you ever had a credit check? Those are all the sorts of questions they ask you when applying for credit.

    3. grumpy-old-person

      Re: The $64,000 question

      This happened in South Africa where the ANC government just increased the state debt by taking a huge loan for COVID-19 purposes that was immediately gobbled by the corruption that has brought the country to the brink of disaster.

      Why would anyone expect that there is the moral will to stop this?

  5. Richard 12 Silver badge

    The $128 million dollar question

    What is South Africa going to do about it?

    As they don't have a GDPR-style data protection act they probably can't fine them enough for them to notice.

    I guess it's now contempt, which might let them imprison the top brass. That might make them sit up and pay attention.

    1. Drew Scriver Silver badge

      Re: The $128 million dollar question

      Personally charging the brass is the only thing that will compel companies to take this kind of thing seriously, I'm afraid.

      Years ago Massachusetts had a bill that would hold executives personally responsible if they either knew about security issues, could/should have known about them, or failed to implement proper measures to counter them.

      Unfortunately, the bill did not pass.

    2. Anonymous Coward
      Anonymous Coward

      Re: The $128 million dollar question

      > I guess it's now contempt, which might let them imprison the top brass.

      The Anton Piller order was against the miscreant, not Experian.

      1. fuzzie

        Re: The $128 million dollar question

        South Africa does have a GDPR-style PoPI (Protection of Personal Information) Act. It's been long coming, but as I recall, it's not fully in effect yet. The laws dealing with company malfeasance do allow for the board and/or directors to be help personally criminally liable. Of course that would probably become some local mid- or country-level scapegoat, but it would at least be a god start.

  6. Imhotep Silver badge

    Isn't this the case wher Experian claimed that the individual "gave the data back"? Like it was a piece of equipment?

    No one with two brain cells to rub together thought that their reassurances were anything but nonsensical at the time.

    1. Julz Silver badge

      Giving data back is something you can do over and over and over and over...

  7. Sceptic Tank
    Pirate

    Who cares?

    Who cares if our mobile numbers were leaked? My number is in the hands of every telemarketer known to man already.

  8. David Roberts

    Anton Pillar (sp?) order?

    How is this different in a data age from issuing a court order for Pandora to recapture all the contents of the open box?

    1. Insert sadsack pun here

      Re: Anton Pillar (sp?) order?

      Piller is the correct spelling.

      https://www.bailii.org/ew/cases/EWCA/Civ/1975/12.html

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020