Absa uses broad powers to plug its data leak
Absa Bank moved decisively to recover leaked client data after conducting a court-sanctioned search-and-seizure operation late last week that led to the destruction of unlawfully obtained information held by three individuals and a business based in Durban.
A copy of the court order last week that Business Day has seen reveals that the bank sought a so-called Anton Piller order against the four respondents in late November.
After the order was initially opposed, the court approved the order on Wednesday last week. On Friday, the bank confirmed it had executed the order, which had found the bank’s confidential client information on seized devices. Absa has since destroyed the data.
The leak — in which about 200,000 accounts out of more than 10-million in the bank’s retail franchise were compromised — comes after a much larger leak by credit bureau company Experian earlier this year, perhaps indicating how valuable client information has become to a range of legitimate and illegitimate users of data.
But the order also reveals how extensive the powers granted to a successful applicant can be in the event of an unlawful data breach.
New regulations coming into effect in July next year could see individuals and companies fined in the event that the information regulator deems insufficient controls existed to protect client information as described in the Protection of Personal Information Act.
In Absa’s case, the bank received permission — with a sheriff of the court attending — for its nominated legal representatives, along with a small army of forensic experts, to access all
three individuals’ personal residences and vehicles, as well as the premises of the business.
After obtaining access, the order granted the bank the right to search any digital device on the premises including external hard drives, flash drives and smartphones, as well as any other external storage repository including cloud-based services such as Dropbox.
Any items that appear to contain Absa’s confidential client information can be copied and seized by the sheriff for further analysis until the bank is satisfied that all its information has been destroyed or deleted.
The actions are part of efforts to investigate the unlawful leak by one of its employees, who has been criminally charged.
Absa says the employee sold data to third parties, including identity numbers and contact information, as well as more sensitive information such as bank account numbers.