Data breach caught on Telegram, online refund tips and car repo rules

Consumer journalist Wendy Knowler’s ‘watch-outs of the week’

29 October 2021 - 14:08
Information Regulator chair Pansy Tlakula has warned the public not to access a link on the Telegram app that supposedly contains a database with details of millions of South Africans as it could well be the link is a Trojan horse for other malware. Stock photo.
Information Regulator chair Pansy Tlakula has warned the public not to access a link on the Telegram app that supposedly contains a database with details of millions of South Africans as it could well be the link is a Trojan horse for other malware. Stock photo.
Image: 123RF

In this weekly segment of bite-sized chunks of useful information, consumer journalist Wendy Knowler summarises news you can use.

Data breach part 2: the Telegram downloads

This week the Information Regulator dropped a bombshell about the personal information of 25-million South Africans which credit bureau Experian unwittingly handed to a fraudster last year. That database was recently put on Telegram, where it was downloaded more than 100 times before Telegram removed the page with the link to the database.

The data includes phone numbers, e-mail and physical addresses and employment data, but apparently no personal consumer credit, financial or banking information. But frustrated readers told TimesLive that didn’t stop fraudsters from committing widespread identity theft and opening accounts with retailers such as HomeChoice.

The regulator was tipped off to the Telegram news on Sunday. Experian said it reported the matter to the regulator and law enforcement on the same day.​

The regulator was tipped off to the Telegram news on Sunday and contacted Experian.

“Experian has reported to the regulator that it has instructed its lawyers to request the mobile operator [concerned] to suspend the cellphone account of the user who dumped the data and made it publicly accessible,” the regulator said.

According to Experian, the identity of the person who illegally disclosed the personal information of data subjects without their consent is unknown.

Information Regulator chairperson Pansy Tlakula warned the public not to access the link provided on the Telegram app.

“We urge members of the public to exercise caution when coming across the link that supposedly contains a database with details of millions of South Africans as it could well be the link is a Trojan horse for other malware.”

If you distribute that information, you’re committing a crime.

If you would like to know if your data has been breached, e-mail breach@securecitizen.co.za. Secure Citizen is the data identity arm of the SA Fraud Prevention Service.

Experian said in response: “We are aware of messages sent to a limited group of people on social media messaging platforms on Sunday, 24 October 2021. They related to last year’s data incident and is not a new data incident. We immediately informed law enforcement and the appropriate regulatory bodies on that Sunday and supported them in their investigations while also carrying out our own.

"Before noon on Tuesday, 26 October 2021, those files were deleted and removed from the messaging platform. Our Global security teams remain vigilant and continue to monitor the internet as the possibility exists for further posting of this data and we will deal with any posts as quickly as is possible. We remain committed to supporting people and businesses in South Africa by continuing to offer free credit enquiry alerts until the end of December 2023 and other support services free of charge until February 2022.”   

Bank can repossess your car, but not without following a legal process

Even if you’re behind in your car repayments, don’t be bullied into surrendering your car to someone who confronts you in a shopping mall parking lot and tells you they’ve been sent by your bank to repossess your car.

It’s a practice that irks SA’s Banking Services Ombudsman Reana Steyn.

“Some people have complained to us about being coerced into giving the vehicle back to the bank by so-called tracers,” she said.

“Never give your movable property to people unless they provide proof they are the Sheriff of the Court, and give you an original court order authorising them to repossess the asset.”

In the absence of a court order, the only other way a moveable asset such as a car may be repossessed is if you voluntarily give it back to the bank by signing a voluntary termination notice (VTN).

“Consumers must make sure they understand exactly what they are signing before providing their signature on any documents, particularly when they are in default with their vehicle finance agreement,” Steyn cautioned.

The ombud’s office has received more than 460 vehicle finance-related complaints this year so far.

Some complainants said the bank repossessed their vehicles without a court order or without them having signed a VTN, she said.

“In some instances the bank obtained a signed VTN letter but failed to comply with the requirements as set out in terms of section 127 of the National Credit Act, such as sending a letter to the customer advising them how much the vehicle/asset was valued at.

“In such instances, we recommended the bank write off the outstanding balance and/or pay a distress and inconvenience award to the impacted consumer,” Steyn said.

“Each case is decided on its own merits and the distress and inconvenience awards given are intended to ensure similar instances are avoided by banks, rather than aimed at enriching consumers.”

Don’t let online retailers deny your rights

If you don’t know your rights as a consumer, retailers will get away with trampling on them.

“Theon” e-mailed me last week to say he’d bought a R4,500 pair of Adidas Yeezy sneakers from an online store, but when they arrived they were too small.

The downside of buying shoes and clothing online is you don’t have an opportunity to try them on first to make sure they fit you.

The upside is that when you buy such goods online, you have the protection of the Electronic Communications and Transactions Act, which gives you a cooling period of seven days in which to return the product (at your cost, if the e-retailer doesn’t choose to absorb it) for a full refund.

But that’s not what happened in Theon’s case. Well, not initially.

“When I contacted the store they said they do not have any bigger sizes and they do not do refunds on Yeezy sneakers because they are special releases," he told me.

“Do I have any protection?”

Having filled him in on his legal right to return the sneakers within a week — regardless of whether they are special releases or on sale, or anything else — he got back to me with better news.

“Thanks for the advice. After putting that to them they eventually allowed me to log the return for a refund.”

Before you buy anything online, check the company’s returns policies. If you don’t see something about being able to return unsuitable products for a refund within seven days of delivery, move right on.

CONTACT WENDY: E-mail: consumer@knowler.co.za; Twitter: @wendyknowler; Facebook: wendyknowlerconsumer

Editor's note: EDITOR'S NOTE: This story has been amended to reflect that Experian indicated that it had independently reported the matter to law enforcement agencies. The article initially stated that the regulator had contacted Experian after being alerted by a whistleblower. The story has also been amended to attribute the statement that fraudsters opened accounts with retailers such as HomeChoice to members of the public who contacted us.


subscribe