Court hears of impact of Experian data breach by hacker Karabo Phungula

Karabo Phungula was convicted of fraudulently obtaining the personal data of millions of South Africans last year.
Karabo Phungula was convicted of fraudulently obtaining the personal data of millions of South Africans last year.
Image: Phathu Luvhengo

Data services firm, Experian has incurred more than R5.6m in costs since its data breach incident, to prevent harm and further proliferation of the information.

This was revealed by Experian Africa CEO Ferdie Pieterse when he testified at the Johannesburg specialised crimes court sitting in Palm Ridge on Tuesday.

“Experian went to quite an extent when we became aware of this data breach at the time it happened,” he said.

Pieterse was testifying during the mitigating factors and aggravating circumstances of the sentencing of Karabo Phungula.

Phungula was last year convicted of fraudulently obtaining the personal data of millions of South Africans.

He appeared in court on Tuesday after a logistical bungle by the department of correctional services that led to him failing to appear on Friday for his sentencing.

In October last year, the court found Phungula guilty of illegally acquiring personal and business data from data services firm Experian.

Pieterse said the R6.5 m was just for a third party service provider. “This is the cost of the third party when we involve them in this matter.”

He said the company incurred other losses as a result of the incident, including ceasing to provide of marketing services to their clients.

“Typically clients of ours will approach us with specific data or specific requirements to address their own data for collection services. We will then go and analyse and provide them with market insights, with information so that they can do either marketing campaigns or update their own marketing data,” he said.

He said after the incident the company had to stop its marketing services which generate about R65m worth of revenue annually.

He added the company also received intensive scrutiny with an audit from the National Credit Regulator.

He said they paid NCR an administrative penalty of R5m.

“We have incurred a one-time cost of R6.5m and R5m administrative penalty, ongoing basis revenue of R65m with an estimated profit of that revenue of R48m,” he said.

Phungula was arrested in September 2021 on charges of fraud and contravention of the Electronic Communications and Transactions Act.

His arrest was in connection with an incident in May 2020, when Experian handed over the data of more than 23-million people and nearly 800,000 businesses to Phungula, who impersonated a businessman who was authorised to have the information.

Experian detected the breach on July 22 2020, more than 50 days after the data had already been transferred.

The matter is expected to resume on Wednesday for the court to hand down sentence.

TimesLIVE

Support independent journalism by subscribing to the Sunday Times. Just R20 for the first month.


READ MORE

Would you like to comment on this article?
Register (it's quick and free) or sign in now.

Speech Bubbles

Please read our Comment Policy before commenting.