What was described as a data leak affecting a small number of Absa’s customers back in November 2020 could be more widespread than initially thought.
At that time, the bank disclosed that a data leak had taken place in October, with about 200 000 customers believed to have had their data potentially compromised.
Now, Absa has sent mails to more customers, warning them that they could have been targeted as well.
“Following Absa’s announcement of an isolated data leak in November 2020, and a resultant independent forensic investigation, we have now identified more compromised data and are contacting impacted customers directly,” the letter reads.
“Unfortunately, this leak encompassed some of your personal information, including your identity, cellular and account numbers.”
The original breach was believed to be a rogue employee who had stolen and sold customer data to a third party and the bank impounded the devices where the compromised data was believed to reside.
Absa is cautioning customers whose data has been leaked to be wary of interactions with people claiming to be with the bank – although it is also heightening precautionary measures and may call customers to validate potentially suspicious transactions.
“Fraudsters may pose as a representative of a bank, in their attempt to defraud you,” the bank warns customers. “Please do not disclose your online banking PIN, password, card CVV, PIN or one-time password to anybody, irrespective of the circumstances. Absa will never ask you to share these confidential details. If unsure, terminate the call and call our fraud hotline.
“Furthermore, never approve a mobile banking application request or any other transaction request if you are not the one carrying out the transaction. We will never request you to approve the reversal of unauthorised debit orders, and have put in place measures to prevent and detect potential unauthorised debit orders.”
Update: Absa statement
Since the initial article was published (above), Absa has released the following statement:
Absa notified a limited group of customers in South Africa in November 2020 that some of their data had been exposed to third parties. We stated at the time that investigations continue to assess the full scope of the incident.
The exposure had resulted from an employee selling data to a small number of external parties. This was a serious breach of Absa’s data privacy policy and an unlawful act. The employee was dismissed and faces criminal charges as we have zero tolerance for offences of this nature.
Ongoing investigations into the leak revealed that selected data relating to an additional group of customers in South Africa had been exposed to the third parties. This includes a portion of data from the joint venture between Absa and Ford Credit in South Africa.
We are currently notifying additionally-affected customers via email, letters and/or SMS.
Important customer information:
- Pins and passwords were not exposed in the leak and therefore no third parties have direct access to customer accounts as a result of the exposure.
- The types of data that have been shared include, for example, names, surnames, contact numbers, ID numbers and vehicle details.
- Customers who receive notifications need not take any action as Absa has placed heightened monitoring on accounts as a precautionary measure.
- Customers who have not received notifications need not take any action; we will notify customers directly if they are affected by the leak.
- Criminals often use customer information at their disposal to contact you under false pretenses, purporting to be from legitimate organisations or a bank. They may try to contact you via phone, text message or email, impersonating Absa or another reputable institution. Customers must always be vigilant and must not share their online PIN, online password, card PIN, card CVV number, OTP and/or approval messages.
- Customers can contact our fraud hotline at 0860 557 557 or visit one of our branches.
Absa is dealing with the matter decisively:
- The employee who leaked customer data was dismissed and faces criminal charges.
- Absa obtained court orders enabling search and seizure operations to uncover data in the possession of external parties who unlawfully acquired the data.
- Data found in possession of external parties was analysed, subject to independent forensic review, and deleted/removed from external parties devices/premises.
- A criminal case was reported to the SAPS and all implicated parties will be investigated by the SAPS.
- We are collaborating with the South African Banking Risk Information Centre (SABRIC) to ensure that investigations are comprehensive.
- Absa commissioned an independent review of all our controls and processes associated with data protection.
We greatly regret the incident, which we view as the unconscionable actions of an individual, and which are not reflective of Absa’s culture.