Standard Bank and Lightstone waited 10 days to publicly disclose a data breach that may have compromised the personal information of the owners of as many as 745,000 registered properties in SA, citing the need to ensure that any steps taken did not stymie any legal and criminal investigation.
Africa’s biggest bank by assets and Lightstone, a provider of market intelligence on the SA property market, released a joint statement on Friday saying the lender’s LookSee property search tool had suffered a data breach. However, Standard Bank later told Business Day that it had first become aware of the breach on November 30, more than 10 days before it communicated the problem to the public.
“Standard Bank and Lightstone informed the information regulator as soon as reasonably possible once it was discovered that there are reasonable grounds to believe that the information was accessed without permission,” the bank said in response to questions seeking clarity on the reasons for disclosing the hack 10 days later.
“Our immediate focus was on minimising the impact to the data subjects, determining the scope of the compromise and ensuring that the necessary due diligence was given to ensure any hasty steps taken did not impede any legal and criminal investigation.”
Standard Bank and Lightstone said their initial investigations showed the compromised information included names, identity numbers, entity registration numbers, marital status and physical addresses. While the exposed information did not include banking details, cellphone numbers or e-mail addresses, the individuals affected went beyond the Standard Bank client base.
The data breach occurred on Standard Bank’s LookSee platform, a free online tool that leverages Lightstone data to provide prospective homeowners with information on the estimated market values of properties as well as sales trends in particular areas and the costs involved in purchasing a home.
Standard Bank said preliminary indications suggested there was no internal involvement in the data leak. However, the bank would not say whether the breach was the result of a malicious hacking event by a third party who may be demanding a ransom in exchange for the return of the data.
“We are assisting the authorities in their investigation and cannot release information at this time,” the bank said.
In June 2018, insurance group Liberty, which was majority-owned by Standard Bank at the time, was the victim of a hack by unidentified cybercriminals who demanded a ransom. In the Liberty attack, the hackers gained access to sensitive client data and attempted to extort millions from the insurer, which said at the time it had refused to pay them.
Standard Bank said the LookSee data breach was not related to the systems outage it suffered on December 9, the day before it released its statement with Lightstone. Clients in nine African countries had trouble using the bank’s mobile banking app, while SA customers were also unable to log on to internet banking.
SA firms, including financial services giant Old Mutual and several state-owned entities, have come under attack by cybercriminals in recent years, often with the goal of extorting money. State-owned ports operator Transnet declared force majeure in July after its container terminals at the Durban, Ngqura, Gqeberha and Cape Town harbours were disrupted by cyberattacks.
Standard Bank and Lightstone on Friday urged property owners to remain vigilant by reviewing their bank statements and reporting any suspicious transactions. “While no banking details were exposed, it is good practice to ensure that passwords are secure.”
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.