The Development Bank of Southern Africa Limited (DBSA) has confirmed that it was subjected to a ransomware attack by a malicious threat actor on about 21 May 2023.
Based on preliminary investigations, the DBSA believes the threat actor to be Akira, a Russian ransomware group, although this is not the final determination as investigations are still ongoing.
The bank has issued a statement detailing how various servers, logfiles and documents were encrypted by Akira, which threatened to publish the encrypted information to the dark web in the event that their demands for payment were not met.
A DBSA investigation has determined that the following categories of records of personal information may have been unlawfully accessed or acquired by the threat actor:
* Certain documents required to be collected by us under the Financial Intelligence Centre Act 39 of 2001, which includes information relating to customers’ business name, the names of their directors/shareholders, physical address;
* Identification documents and national identification document numbers;
* Contact details, including telephone and cell phone numbers and email addresses; and
* Details of the commercial or employment relationship with the DBSA, and financial information pertaining to stakeholders.
While investigations are ongoing the bank believes this to be the extend of the data breach.
” However, given the nature of the personal information acquired, we believe that malicious actors may attempt to impersonate stakeholders using the compromised personal information,” the DBSA states. “As a result, DBSA encourages stakeholders to remain vigilant and alert to any evidence that their personal information is being used incorrectly, and take care to identify any unauthorised actions.”
The bank has appointed a forensic investigator who is currently assisting in investigating the full extent of the incident and is monitoring the Dark Web to determine whether the personal information has been published. It has also appointed legal advisors to ensure it remains complaint with all obligations under law, including, our obligations under POPIA.
Law enforcement agencies and relevant regulators, including the Information Regulator (South Africa), have been consulted.
Meanwhile, the DBSA has restored its information systems environment in accordance with our disaster recovery procedures and revoked all third-party access to our information systems to prevent any further access to the information on our systems.
“The responsible use of personal information is not negotiable at the DBSA and we regret that the Incident has occurred,” it states further. “We are also undertaking a review of our technical and organisational controls to minimise the risk of an incident of this nature from occurring in the future. In addition, we will continue to follow generally accepted industry practices to prevent the reoccurrence of similar incidents.”