Security News > 2020 > September > Personal data from Experian on 40% of South Africa's population has been bundled onto a file-sharing website
Personal data on 24 million South Africans, wrongfully sold by Experian to a person it claimed had "Pretended" to represent a "Legitimate client", is now not only circulating on the dark web - it's also on clearweb file-sharing sites, according to reports.
Despite assurances from Experian in August that it had obtained an Anton Piller court order - a type of search warrant in legal proceedings - to seize and destroy the data it haplessly passed on, 40 per cent of South Africa's population is now living in the knowledge that any random bod browsing Swiss file-sharing site WeSendIt could have freely downloaded their personal data.
Back in August Experian said: "We can confirm that no consumer credit or consumer financial information was obtained," while admitting: "The fraudster provided Experian with 25,055,049 names, surnames and South African identity numbers which Experian verified. The data shared was limited to contact information including telephone, email and physical address and employment information which includes place of work, title, start date and work contact details."
"The Regulator is extremely disturbed about the information that it has received from the whistleblower, particularly because during the meeting which it held with Experian last week, its Chief Executive Officer, Mr Ferdie Pieterse assured the Regulator that Experian had obtained an Anton Piller order and managed to execute the order in terms of which the personal information of data subjects was appropriately secured," thundered the SAIR in a press statement [PDF].
While data breaches traditionally consist of data being stolen, Experian's apparent willingness to hand millions of people's data to one person shows that breaches can come about through lack of due diligence as well as the obvious security-related routes we all know and love.