Experian’s massive data breach revealed

Some 24m people’s information and that of 780 000 businesses has been fraudulently acquired: Manie van Schalkwyk, CEO of Southern African Fraud Prevention Services, explains.

NOMPU SIZIBA: Experian South Africa, which is a credit bureau, has reported that the company suffered a data breach. Some 24 million people’s data was acquired and around 780 000 businesses’ data as well. But, according to some reports, the bureau says that it has since found the person who extracted the information, and that it’s been destroyed. But how much comfort can this give South Africans, given that data can be transferred within a matter of seconds?

Well, to discuss this matter further, I’m joined on the line by Manie van Schalkwyk, the CEO of the Southern African Fraud Prevention Services. Thank you so much for joining us, sir. So we know, or do we understand, how this breach happened in the first place? It does sound like Experian handed over this data to whomever was applying for it, because this person was obviously representing themselves falsely. But how does that happen? One would have thought that the systems would be very sophisticated for that amount of data to be handed over to any one person.

MANIE VAN SCHALKWYK: Yes. Hello, good evening, Nompu, and thank you for inviting me to your show. Unfortunately, I’m not privy to what happened. I think Experian is in a better position to answer that. And I would also imagine that the information regulator, the National Credit Regulator, will be on top of all of those kind of things to see exactly how it happened, and how that information was breached, and if all the processes were followed to sign up a client properly, and what verifications were done. So one would assume that all of those processes must be in place.

I’m more concerned about what happens now. You quite correctly have stated that, yes, they could have found the person and destroyed the information that was in his or her possession. But one doesn’t know whether this has been sold to the Dark Web, or wherever information may have gone.

So it still leaves consumers like you and me maybe vulnerable, where our information is available to people who shouldn’t have it. And I think we, as consumers, need to  be vigilant and understand how this data is used. Perhaps I could just give you some examples of what we’ve seen in the past when people steal data. Clearly I heard in a previous interview that not all the data was stolen, but it’s things like ID number, cellphone number, address, information – those kinds of things. So the fraudsters who have this information will usually contact the consumer on the premise that they are phoning from the bank. And then they will try to instil confidence in the consumer and say this is XYZ quoting from the bank, and there’s a big debit order going off your bank account. Should we stop this?

Your immediate response will be to say yes, and then they will instil confidence. They say: “We see you live here, we see this is your telephone number, your email address. Oh gosh, my system just went down, please give me your bank account detail quickly, because  I need to stop this debit order. I’m not supposed to ask you for your pin, but to stop it immediately, please give me your pin.” And by that time you are kind of trusting this person. He’s provided some information which makes sense – which is you, which is what belongs to you. And through that process you kind of think, okay, this is from a bank which is really planning to help me; let me give that information.

And that is my big message to consumers – to say, although some of that information now looks stolen, we have now got the duty as consumers to say, well, how do we protect the rest of that information that we don’t have financial loss.

NOMPU SIZIBA: Manie, what really is the extent of this problem? We’ve heard about some big companies, particularly the banks, being infiltrated. And, despite their investments in cybersecurity and all those fancy things, the cyberhackers or thieves still seem to be one step ahead.

MANIE VAN SCHALKWYK: Yes. I agree. Experian is an international company, and  the banks have got the best systems in place. Earlier this week we saw an insurance company got hacked. And I do think globally we all do what we can, but it takes one clever fraudster to outwit us.

So I think it just puts it right back on the agenda to say, do we have the best and the latest technologies available to make sure that our systems are not infiltrated, and processes and procedures to make sure that whoever subscribes to us, this is legitimate and it’s not a finger to anybody, because I think we are all in this thing, If we’ve got a database at all we are at risk of fraudsters having fun with us.

NOMPU SIZIBA: You’ve explained nicely how a consumer can unwittingly sort of give their information to these guys who are very sophisticated in the way that they extract the information that they need to commit crime. But if, say, a consumer does think something off has happened, where can they go?

MANIE VAN SCHALKWYK: Well, my first thing will be to go to the credit bureau and get a credit bureau report. See what’s going on in your credit report, and see if you’re not maybe a victim of high-risk theft. You will see that from accounts which have been opened which you’re not aware of, any inquiries on your credit bureau profile that you’re not aware of. If you become a victim of identity theft, you can contact the SAS, which is the organisation that I work for. It’s a non-profit organisation and we do a free service to consumers for additional protection. They can email us at protection@SAS.org.za, and we will get in contact with them. Or they can just SMS the word protectID, one word, to the number 43366.

NOMPU SIZIBA: Excellent. And then lastly, the title of the company that you belong to contains “Southern African”. Presumably you look at other countries in the Southern African region. How much of a problem is this in those other economies around South Africa?

MANIE VAN SCHALKWYK: We still haven’t opened offices in other countries, but we have spent some time there in the past couple of months before the lockdown. And I can tell you, South Africa is well equipped to deal with these kind of challenges that we are facing.

NOMPU SIZIBA: Manie, thank you so much for that. That was Manie van Schalkwyk, the CEO of the Southern African Fraud Prevention Services.



Sort by:
  • Oldest first
  • Newest first
  • Top voted

You must be signed in and an Insider Gold subscriber to comment.


Banks need to fix their internal systems to stop these scenarios repeating themselves. Currently, when a bank employee phones a customer, they ask us for our personal details “to confirm we are talking to the right person.” This makes absolutely no sense.

If the customer phones the bank, yes, the customer needs to verify their identity to someone in the bank’s call centre who can safely be assumed to be a bank employee. But if the bank phones the customer, they expect the customer to give confidential personal information to a complete stranger who claims to be calling from the bank.

Complete insanity, as set out in Manie’s first section above.

Some municipalities now require you to submit, 3 months bank statement, sign a Transaction Capital Recoveries form ( for information to be sourced from the Credit Bureaus)in order to to be checked if you qualify for indignant subsidy (are the bank statements, SARS proving that you have no monthly income enough?), what difference or positive impact does ones complete credit profile provide because the qualification criteria has been proof that you are a pensioner and bank statements if you apply for pension subsidy and for indigent, proof that you have not been working, affidavit and bank statements.
Why also is the criteria not standardized!

End of comments.



Subscribe to our mailing list

* indicates required
Moneyweb newsletters

Instrument Details  

You do not have any portfolios, please create one here.
You do not have an alert portfolio, please create one here.

Follow us:

Search Articles:
Click a Company: