From the media reports so far, there is little evidence to suggest the Experian "incident" was a cyber crime. The most obvious conclusion is that this was nothing more than "sellers remorse". After agreeing to the sales price, Experian discovered the customer received more information than he/she had paid for. As Experian has stated, there was no "hack" by some cyber crook. There was no technology failure.
There is growing evidence that what happened at Experian is no different to what is currently happening at hundreds of other South African companies right now. What is unfortunate for Experian is that the Protection of Personal Information Act has commenced. On the 17 June 2020 the President determined sections 2 to 38, 55 to 109, 111, 114(1), (2) and (3) would commence on 1 July 2020. This means that Experian has probably contravened sixteen sections of POPIA. The Information Regulator has announced she has opened an investigation into this matter to find out what really happened and which sections have been contravened. The sections that empower the Regulator to do so (e.g. sections 74, 77, 79, 81, 89, 95 and 109) all commenced on 1 July 2020.
It is not only Experian who will be investigated. There are usually at least two parties to a transaction, and possibly many more to an event. One of the actions taken by Experian was to notify other companies of the "breach". It has been reported that at least 26 banks received this notification. Further, it has been reported that these banks allegedly received details of the 23 million South Africans whose data was compromised. It has also been reported than people received notifications of the breach from banks with whom they do not bank. So now there are further breaches of POPIA, this time by some of the banks.
The Information Regulator has her hands full. Its not only Experian that is being investigated, but the 26 banks who received the notification from Experian and any other organisation involved, for example, all the other credit bureaux. And this is just the start!
What can companies learn from the Experian "incident"?
Right now there are at least sixteen sections of the Protection of Personal Information Act that, like Experian, they may be in breach of. These are included in the sections of the Act that commenced on 1 July 2020. Contrary to what many have assumed, the Information Regulator is investigating non-compliance and there could be significant consequences for Experian.
The "incident" was not the result of a cyber attack. Experian are under investigation because their "normal business practices" do not comply with the sections of the Protection of Personal Information Act that have commenced.
This should be a warning to all companies. You are just moments away from non-compliance being identified. POPIA has commenced and the risks are real.
South African's personal information is on the dark web
Little information has been made available as to how the personal information of 23 million South African's made its way to the dark web. But Experian have acknowledged that they are the source. The file on the Internet is their file. When and how it leaked onto the Internet is anyone's guess. It could have happened a long time ago, or just within the last few months. Regardless, according to POPIA, personal information must be protected, something Experian has failed to do. Removing this information off the dark web is impossible. You can keep deleting each copy as it appears, but this does not remove it forever. Everything on the Internet is copied many times over. Take a look at the WayBackMachine .
Experian will always be known as being the source of South African's names, addresses, email addresses, employment history, identity numbers, etc. on the Internet. You can be certain this information will be sold many times over in the years to come. For those people who, for whatever reason, have needed to keep their home addresses private, now must live in fear of that unwanted person arriving unannounced. How would you feel if you have had to move because of a stalker? The risk of physical harm to some is real.