Banking group Absa has warned some customers in an email that their personal information was leaked in a data breach 14 months ago and urged them not to disclose passwords or banking pins over the phone.
In December 2020, it was reported that personal information linked to 200,000 accounts was stolen and an Absa employee linked to the attack was later criminally charged.
The data stolen by an employee was personal information including names and ID numbers and could not be used to steal funds, but could potentially be used by criminals to contact banking clients.
Absa told Business Day on Monday it was contacting individual customers only now as “independent investigations are ongoing, and we continue to reach out to affected customers as new information comes to light”.
Head of fraud strategy at Absa Ulrich Janse van Rensburg explained the leak of data had not been withheld from clients for 14 months. Instead, customers were contacted as and when it became clear their personal data had been leaked.
He said Absa had hired an external forensic team to investigate the leak. It was working with devices linked to the crime and analysing large amounts of data. As it did this, it was able to identify more customers whose information was stolen, prompting the bank to warn those affected to be vigilant.
In December 2020, Absa was given permission by a court to search a suspect’s business premises in Durban, and search and seize electronic devices that contained stolen data.
Absa said in its email on Monday it had secured all the devices with the stolen information.
It emerged in 2020 that the former employee had sold data, including bank account information and ID numbers, to third parties.
Absa said if there were transactions that raised suspicion, banks would call clients whose data had been breached to double check that the transactions were legitimate.
It is presumed that criminals could use the stolen information to call customers, pose as bank employees and use the stolen personal data to trick the customers into disclosing banking passwords and other confidential information.
“Fraudsters may pose as a representative of a bank in their attempt to defraud you,” Absa said in an email on Monday.
Absa said it would never ask for pins, passwords or [three-digit card security] CVV numbers on the phone.
Cybercrime continues to pose an increasing risk to consumers and banking groups, with so many leaks that it is difficult to link an act of fraud to a particular breach.
Janse van Rensburg said no acts of fraud had been linked to the breach. He would not be drawn on how much customers’ data was stolen.
In 2020, credit bureau Experian suffered a hack in which about 24-million SA customer records were exposed and some data shared on the internet.
In 2021, Standard Bank and property data and valuation group Lightstone suffered a data breach that exposed the personal information of property owners, but this did not include bank details.
Construction company Basil Read announced in December 2021 that it had been the target of a ransomware attack in which hackers demanding payment had blocked access to company IT systems.
Cybercrime has also affected state entities. In July, Transnet’s Durban Port was the target of a cyberattack and the harbour was rendered non-operational for a few days, resulting in months-long shipping delays.
Update: February 21 2022
This story has been updated with comment and new information.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.