On Wednesday 19 August 2020 news broke that Experian, a consumer, business and credit information service agency suffered a significant data breach which exposed personal information of approximately 24 million South Africans and 793,749 business entities to a suspected fraudster. This is one of the largest ever data breaches experienced in South Africa. According to Experian, the fraudster posed as a legitimate client resulting in information being provided.
While banks maintain that the bank accounts of individuals and businesses are not at risk, the information obtained by criminals could be used to impersonate individuals or result in confidential information being provided by unsuspecting consumers.
Experian has confirmed that the data breach was reported to law enforcement and the appropriate regulatory authorities. The prosecution of cybercrime in South Africa is primarily regulated by the Electronic Communications Act 25 of 2002 (“the ECTA”) and the Cybercrimes and Cybersecurity and Related Matters Bill, which is yet to be enacted (“the Cybercrime Bill”). In this regard the ECTA and the Cybercrime Bill are to be read in conjunction with South African common law, where applicable. South Africa is still in its infancy years in developing its cybercrime regulatory framework and the extent to which regulators seek to take any further action is yet to be determined.