Experian South Africa data breach (South Africa, 2020)
A fraudster posing as a legitimate Experian client obtained the personal data of 24 million South Africans and 793,749 businesses in what became one of the largest data breaches in South African history.
- Victim
- Experian South Africa
- records
- 24.0M
- users
- 24.0M
On 19 August 2020, Experian South Africa β the local arm of the global credit bureau β disclosed that an individual posing as a legitimate client had obtained the personal data of 24 million South African consumers and 793,749 businesses. It is widely cited as one of the largest data breaches in South African history.
What happened
This was not a network intrusion but a social-engineering / impersonation attack. A person represented themselves as an existing, authorised Experian client and requested data β ostensibly to generate marketing leads for insurance and credit-related services. Believing the request legitimate, Experian handed over the data before later determining the requester was fraudulent.
Once the deception was uncovered, Experian moved quickly through the courts. It obtained and executed an Anton Piller order β a civil search-and-seize remedy β which allowed it to impound the suspect's hardware and recover and delete the misappropriated data. Experian stated it had identified the individual and that the data was secured before wider dissemination.
Impact
- Personal information on 24 million consumers and 793,749 businesses was exposed.
- Experian maintained that no consumer credit or financial information and no banking details were taken β chiefly contact and demographic details, much of it described as already publicly available.
- The incident drew sharp scrutiny from South Africa's Information Regulator, which publicly expressed shock at the breach and questioned Experian's notification compliance under POPIA (the Protection of Personal Information Act), then in its enforcement transition period.
Why it matters
The Experian South Africa breach is a textbook case of human-layer failure at a data broker: the attacker never needed to defeat technical controls because the bureau voluntarily released the data to someone it failed to authenticate. It highlighted the systemic risk of credit bureaus holding vast population-scale datasets and releasing them to "clients," and it became a defining early test of POPIA enforcement β pressuring South African organisations to tighten client-verification and data-release controls.
Timeline
An individual posing as a legitimate Experian client requests data, ostensibly to generate marketing leads for insurance and credit services.
Experian releases the data to the impersonator before identifying the request as fraudulent.
Experian obtains and executes an Anton Piller order, impounding the suspect's hardware and securing the misappropriated data.
Experian South Africa publicly discloses the incident: 24 million consumers and 793,749 businesses affected.
South Africa's Information Regulator publicly criticises Experian's handling and notification compliance under the Protection of Personal Information Act (POPIA).
Sources
- dataguidance.comhttps://www.dataguidance.com/news/south-africa-experian-south-africa-announces-data
- herbertsmithfreehills.comhttps://www.herbertsmithfreehills.com/notes/fsrandcorpcrime/2020-08/experian-exposed-to-south-africas-biggest-ever-data-breach
- techtimes.comhttps://www.techtimes.com/articles/251930/20200820/experian-south-africa-confirms-data-breach-24-million-customers-impacted.htm
- inforegulator.org.zahttps://inforegulator.org.za/wp-content/uploads/2020/07/ms-20211027-Experian.pdf
- iafrikan.comhttps://iafrikan.com/experian-data-breach-end-of-a-chapter/