[ad_1]
An Absa employee accused of leaking some of the bank’s South African customer data to third parties provided the information, which included customer identification numbers, bank account numbers, credit card numbers and mobile phone numbers, to various third parties in exchange for payment .
In response to questions from TechCentral on Tuesday, the bank said the information shared specifically does not include passwords or PIN codes. However, Absa said he is concerned that scammers may still try to take advantage of the situation.
Absa said in a statement late Monday that the employee, whom he has not named, “illegally made selected customer data available to a small number of external parties.” You have filed criminal charges against the employee.
“The leaked data refers to a small portion of Absa South Africa’s customer base, although investigations continue.”
When it discovered the violation, the bank obtained superior court orders allowing search and seizure operations at various facilities and secured “all devices” containing the leaked data.
TechCentral’s questions to Absa and the bank’s responses follow in their entirety.
What specific customer information was leaked?
The types of data that were shared include, for example, first and last names, identity numbers, physical addresses, bank account and / or credit card numbers, mobile contact numbers, and vehicle details. The data that was shared does not include passwords or PIN codes. In some cases it was, for example, the identification numbers and telephone numbers of some clients that were shared; in other cases, it was vehicle financing details, etc. So, it was a mixed bag.
How many customer records were leaked?
We have not completed the investigation, so we do not want to provide a final number at this stage. What we can confirm is that, so far, only a fraction of Absa’s customers in South Africa have been affected by the leak.
Given that Absa said it has improved monitoring of affected clients’ accounts, does this mean Absa is concerned that leaked information could be used to compromise accounts? If so, how?
The data alone does not give third parties direct access to the money in customer accounts. The pins and passwords were not shared as part of the leak. However, scammers are always looking for opportunities.
What was the reason for the employee who leaked this information? Was the information provided to third parties in exchange for financial reward?
At least in some cases, it is clear that the selected data was sold to third parties.
What does Absa know about the third parties who received the information? How many third parties are there? And are they believed to be malicious actors?
At this stage it’s a handful of external parties, but we’ll be able to provide a final number only after our investigations are complete.
We have taken legal action related to the parties that received data and we can still take additional action. Therefore, it would not be appropriate to share the identity or data of the companies or individuals involved at this stage, as it may compromise the success of the legal channels to be exercised.
When did Absa first discover the leak and what led her to go to court?
On October 26, a complaint report was sent to the main security office. If we had contacted customers immediately, we may have jeopardized search and seizure operations in the process, as there was a risk that the parties involved would realize that we had knowledge of the issue.
Absa approached the court to determine the nature of the data shared and the recipients and to obtain warrants for the search and seizure operations. The court orders allowed the authorized search of the premises and devices of the parties that illegally acquired the data, which we have subsequently destroyed.
To which regulators has Absa reported the leak and what has been the response of those regulators to date?
Absa reported the matter to the Information Regulator, the Prudential Authority and the Financial Sector Conduct Authority. We are cooperating fully with these regulators. It would not be appropriate for Absa to comment on his answer.
What rules, processes or systems can Absa implement to prevent these types of incidents in the future?
Absa takes the protection of personal data very seriously and has taken proactive steps to mitigate the risk of customer data being misused, as well as taking steps to address the internal processes that allowed the employee to share the data.
We have reviewed our controls and processes, in light of this leak, to further strengthen our defenses and reduce the risk of an incident like this happening again. – (c) 2020 NewsCentral Media