Information apparently drawn from a massive leak of its data is "on the internet", credit bureau Experian admitted on Tuesday night.

Staff Writer | Business Insider SA

To date the company has insisted it had contained the breach, after handing over data on millions of South Africans, and bank account details of businesses, to someone it describes as a fraudster.

Now it says it will work to stop the further spread of the information.

As part of its investigation, "we have identified files which we believe contain Experian data relating to the incident on the internet," Experian said in a statement.

"We continue to investigate these files and will take all steps available to us to reduce further dissemination if possible."

It also claimed – in direct contradiction to a timeline it has confirmed – to have taken "immediate steps to make sure that individuals and businesses in South Africa could take steps to protect themselves" once it became aware of the breach.

Experian announced the breach publicly in August, and banks started to issue warnings to their customers that the leaked information may be used to scam them.

What the company failed to mention, until questioned by Business Insider South Africa, was that it had handed over the information in late May, and noticed it had done so nearly two months later, in July.

It took nearly another month to investigate and obtain a private seizure order to recover the hardware on which the data had been stored.

Only after that did Experian tell consumers about the breach. 

Having seized the hardware, the company said, it had contained the incident.

"We have been monitoring the various platforms (i.e. the dark web) to ascertain whether the data is being offered for sale. We also employed a leading digital forensic investigator to assist us with our efforts," Experian said, when Business Insider asked how it knew the information had not been sold or distributed in the nearly three months it was with the "fraudster".

"Also, from our internal investigations we ascertained that the fraudster conducts an insurance and credit services market place and uses the information to contact consumers in order to offer services to consumers."

Experian has not said how it initially failed to detect the spread of the information, or exactly how it intends to contain the data this time around.