You are currently viewing our desktop site, do you want to download our app instead?
Moneyweb Android App Moneyweb iOS App Moneyweb Mobile Web App

Absa leak: Details emerge of how rogue employee sold client data

‘The leaked data relates to a small portion of Absa South Africa’s customer base, although investigations continue.’
Image: Bloomberg

An Absa employee accused of leaking some of the bank’s South African customer data to third parties provided the information, which included client ID numbers, bank account numbers, credit card numbers and mobile phone numbers, to several third parties in return for payment.

Responding to questions from TechCentral on Tuesday, the bank said the information shared specifically does not include passwords or Pin codes. However, Absa said it is worried fraudsters could still try and take advantage of the situation.

Absa said in a statement on Monday evening that the employee — whom it has not named — “unlawfully made selected customer data available to a small number of external parties”. It has laid criminal charges against the employee.

“The leaked data relates to a small portion of Absa South Africa’s customer base, although investigations continue.”

When it discovered the contravention, the bank secured high court orders allowing search-and-seizure operations at various premises and secured “all devices” containing the leaked data.

TechCentral’s questions to Absa, and the bank’s answers, follow in full.

What specific client information was leaked?
The types of data that was shared includes, for example, names and surnames, identity numbers, physical addresses, bank account and/or credit card numbers, mobile contact numbers, and vehicle details. The data that was shared does not include passwords or Pin codes. In some cases it was, for example, the ID numbers and phone numbers of some customers that were shared; in other cases, it was the vehicle financing details, etc. So, it was a mixture.

How many client records were leaked?
We have not completed the investigation, so we would not want to provide a definitive number at this stage. What we can confirm is that, so far, only a fraction of Absa’s customers in South Africa have been affected by the leak.

Given that Absa said it has enhanced the monitoring of affected clients’ accounts, does this mean Absa is concerned that the information leaked can be used to compromise accounts? If so, how?
The data alone does not give third parties direct access to the money in customers’ accounts. Pins and passwords were not shared as part of the leak. However, fraudsters are always on the lookout for opportunities.

What was the motive of the employee who leaked this information? Was the information provided to the third parties in return for a financial reward?
At least in some instances, it is apparent that selected data was sold to third parties.

What does Absa know about the third parties who received the information? How many third parties are there? And are they believed to be malicious actors?
At this stage, it is a handful of external parties, but we will be able to provide a definitive number only once our investigations have been completed.

We have taken legal steps pertaining to the parties that received data and may still take further steps. It would not be appropriate, therefore, to share the identity or details of the companies or individuals involved at this stage as it may compromise the success of the legal avenues that will be exercised.

When did Absa first discover the leak and what prompted it to go to court?
A whistle-blowing report was issued to the chief security office on 26 October. Had we communicated to customers immediately, we may have jeopardised search-and-seizure operations in the process, as there was a risk that the parties involved would become aware that we had knowledge of the issue.

Absa approached the court to determine the nature of the data shared and recipients and to secure orders for search-and-seizure operations. The court orders allowed for the authorised search of premises and devices of the parties who unlawfully acquired the data, which we have subsequently destroyed.

Which regulators has Absa reported the leak to and what has been the response of those regulators to date?
Absa reported the matter to the Information Regulator, the Prudential Authority and the Financial Sector Conduct Authority. We are fully cooperating with these regulators. It would not be appropriate for Absa to comment on their response.

What rules, processes or systems is Absa able to put in place to prevent this sort of incident in future?
Absa takes the protection of personal data extremely seriously and has taken proactive steps to mitigate the risk of customer data being misused as well as taking steps to address the internal processes that enabled the employee to share the data.

We have reviewed our controls and processes, in light of this leak, to further strengthen our defences and reduce the risk of an incident like this from re-occurring. — (c) 2020 NewsCentral Media

Duncan McLeod is Editor of TechCentral. 

This article was first published on TechCentral, here.


Please consider contributing as little as R20 in appreciation of our quality independent financial journalism.



Sort by:
  • Oldest first
  • Newest first
  • Top voted

You must be signed in to comment.


Can passwords and PIN codes be shared? Are these not supposed to be encoded within the system and only readable within the system such that it cannot be recalled for distribution to be read in alphanumeric text? Response from ABSA sounds like it is possible to distribute these as simple data.

ABSA have no clue or are guessing. A month later and you cant quantify how many accounts were compromised.

They are in the dark and guessing. At least Experian knew the 24 mill was only contact details and only circa 29,000 had Bank details.

ABSA is either clueless or disingeneous!!!!

Unauthorized debit orders incoming!

Month later how does ABSA not know which accounts have been compromised?
Where is BASA/SABRIC who were very liberal in their commments about Experian incident which was as fraud and not a hack/breach which this obviously is? Seems like one is covering for the other?
How weak are controls at ABSA if accc numbers and cc details were leaked.
Insiders seems to know that this is >200,000 high net worth individuals compromised. Why is ABSA hiding the truth. Or even better let the SABRIC watchdog share it to show their relevance and compromise yet another faceless crime?
What irrevocable assurance can ABSA give this has not been proliferated across the net/darkweb/file sharing sites. You are grabbing at straws to give false assurances.

Those who live in Riedel houses should not toss pebbles.

An Absa IT type said on Enca news yesterday that about 200000 customers were affected.

At some banks any amount less than R 100 will automatically be debited without the customer getting a message. So he will only find out at the end of the month.

End of comments.





Follow us:

Search Articles:Advanced Search
Click a Company: