Absa has suffered a data breach affecting a number of its clients, exposing their personal information to external parties. The bank confirmed that the following personal information was exposed to external parties:
- Identity numbers
- Contact details
- Physical addresses
- Account numbers
Absa did not state whether any other client information has been exposed in the breach. However, the bank said it may contact affected customers to validate potentially suspicious transactions going forward. The precise number of affected customers remains unconfirmed, but Absa has referred to it as a “small portion” of its client base.
On Monday 30 November, the bank sent an email to affected clients warning them that their personal information had been shared with third parties.
“We regret to notify you that Absa has identified an isolated internal data leak whereby personal information of a limited number of Absa customers was shared with parties external to the bank,”
“Unfortunately, some of your personal information formed part of this data which included your identity number, contact details, address and account numbers.”
“Absa takes the protection of personal data extremely seriously and has taken proactive steps to address the potential risk to our customers,”
“As part of these monitoring measures, you might receive a phone call from us to validate potentially suspicious transactions to ensure heightened protection of your interest,”
“Please note that we will never ask you to share your ‘keys to the safe’ (including your online banking PIN or password or your card CVV, PIN or one-time password) with us or to approve activities to prevent fraud.”
Absa said it has put measures in place to prevent and detect unauthorized debit orders on the accounts of affected clients.
“Be assured that we will contact you if we detect unauthorized debit orders on your account,”
“Kindly note that we will never ask you to approve the reversal of unauthorized debit orders.”
The bank said it was constantly improving its defenses against cybercrime and, as a result of this incident, it has further refined its controls and protection processes.
Absa told MyBroadband that the data was exposed due to the actions of an employee who acted unlawfully.
“Absa advises that an employee has unlawfully made selected customer data available to a small number of external parties,”
“The leaked data relates to a small portion of Absa South Africa’s customer base to date, although investigations continue.”
The bank said it secured High Court orders that enabled search and seizure operations at various premises and secured all devices containing the data.
“The data on these devices was subsequently destroyed,”
Absa has brought criminal charges against the employee and said that the requisite consequence management has been undertaken internally.
“The bank may take further action in relation to the recipients of the data once the full scope of the leak is identified and all investigations are completed,”
“Absa has put in place additional control measures to minimize the risk of reoccurrence in future.”