Personal data on 24 million South Africans, wrongfully sold by Experian to a person it claimed had "pretended" to represent a "legitimate client", is now not only circulating on the dark web – it's also on clearweb file-sharing sites, according to reports.
Despite assurances from Experian in August that it had obtained an Anton Piller court order - a type of search warrant in legal proceedings - to seize and destroy the data it haplessly passed on, 40 per cent of South Africa's population is now living in the knowledge that any random bod browsing Swiss file-sharing site WeSendIt could have freely downloaded their personal data.
The country has a population of around 56 million people.
Mobile phone numbers, state-issued personal ID numbers, home addresses, banking and work details and email addresses were all included in the file on WeSendIt, according to South Africa's Sunday Times.
Experian says it recovered and deleted data on 24 million South Africans after giving it to random 'marketing' personREAD MORE
The file on WeSendIt contained the details of 24 million people and 800,000 businesses, the same number as we reported at the time of the original breach.
"The breach involves the cross-border flow of personal information. This is unacceptable. Millions of citizens' and businesses' personal information is on the internet with no proper control over it," raged Pansy Tlakula, South Africa's Information Regulator (SAIR), a local equivalent of Britain's information commissioner.
Back in August Experian said: "We can confirm that no consumer credit or consumer financial information was obtained," while admitting: "The fraudster provided Experian with 25,055,049 names, surnames and South African identity numbers which Experian verified. The data shared was limited to contact information including telephone, email and physical address and employment information which includes place of work, title, start date and work contact details."
We have asked Experian to comment on this latest development.
The news comes weeks after the not-quite-stolen data was found to be circulating on the dark web, on souk or souks unknown. A whistleblower told SAIR at the start of September that that file included people's "cell numbers, home and work phone numbers, employment details and identity numbers," to the evident fury of the data regulator.
"The Regulator is extremely disturbed about the information that it has received from the whistleblower, particularly because during the meeting which it held with Experian last week, its Chief Executive Officer, Mr Ferdie Pieterse assured the Regulator that Experian had obtained an Anton Piller order and managed to execute the order in terms of which the personal information of data subjects was appropriately secured," thundered the SAIR in a press statement [PDF].
An Anton Piller order is a civil law search warrant named for a 1975 English case to do with trade secret theft: Anton Piller KG v Manufacturing Processes Limited.
While data breaches traditionally consist of data being stolen, Experian's apparent willingness to hand millions of people's data to one person shows that breaches can come about through lack of due diligence as well as the obvious security-related routes we all know and love. ®