Details of Absa data breach
LEAK: ‘RELATES TO SMALL PORTION OF CLIENTS’
Information shared by an employee does not include passwords or pin codes, according to the bank.
Information shared specifically does not include passwords or pin codes.
An Absa employee accused of leaking some of the bank’s South African customer data to third parties provided the information, which included client ID numbers, bank account numbers, credit card numbers and mobile phone numbers, to several third parties in return for payment.
Responding to questions from TechCentral, the bank said the information shared specifically does not include passwords or Pin codes. However, Absa said it is worried fraudsters could still try and take advantage of the situation.
TechCentral’s questions to Absa, and the bank’s answers, follow.
What specific client information was leaked?
The types of data that was shared includes names and surnames, identity numbers, physical addresses, bank account and/or credit card numbers, mobile contact numbers, and vehicle details.
The data that was shared does not include passwords or Pin codes.
In some cases it was the ID numbers and phone numbers of some customers that were shared; in other cases, it was the vehicle financing details, etc.
How many client records were leaked?
We have not completed the investigation, so we would not want to provide a definitive number at this stage.
What we can confirm is that, so far, only a fraction of Absa’s customers in South Africa have been affected by the leak.
Given that Absa said it enhanced the monitoring of affected clients’ accounts, does this mean Absa is concerned the information leaked can be used to compromise accounts? If so, how?
The data alone does not give third parties direct access to the money in customers’ accounts. Pins and passwords were not shared as part of the leak.
However, fraudsters are always on the lookout for opportunities.
Was the information provided to third parties in return for financial reward?
At least in some instances, it is apparent that selected data was sold to third parties.
What does Absa know about the third parties who received the information? How many third parties are there? And are they believed to be malicious actors?
At this stage, it is a handful of external parties, but we will be able to provide a definitive number only once our investigations have been completed.
We have taken legal steps pertaining to the parties that received data and may still take further steps. It would not be appropriate, therefore, to share the identity or details of the companies or individuals involved at this stage as it may compromise the success of the legal avenues.
When did Absa first discover the leak and what prompted it to go to court?
A whistle-blowing report was issued to the chief security office on 26 October. Had we communicated to customers immediately, we may have jeopardised search-and-seizure operations.
Absa approached the court to determine the nature of the data shared and recipients and to secure orders for search-and-seizure operations.
Which regulators has Absa reported the leak to and what has been the response of those regulators to date?
Absa reported the matter to the Information Regulator, the Prudential Authority and the Financial Sector Conduct Authority. It would not be appropriate for Absa to comment on their response.
What rules, processes or systems is Absa able to put in place to prevent this sort of incident in future?
Absa takes the protection of personal data extremely seriously and has taken proactive steps to mitigate the risk of customer data being misused as well as taking steps to address the internal processes that enabled the employee to share the data.