Absa hit by data breach

Absa has suffered a data breach affecting a number of its clients, exposing their personal information to external parties.

The bank sent an email to affected clients on Monday 30 November, warning them that their personal information had been shared with third parties.

“We regret to notify you that Absa has identified an isolated internal data leak whereby personal information of a limited number of Absa customers was shared with parties external to the bank,” Absa told clients.

“Unfortunately, some of your personal information formed part of this data which included your identity number, contact details, address and account numbers.”

“Absa takes the protection of personal data extremely seriously and has taken proactive steps to address the potential risk to our customers,” Absa said.

The bank confirmed that the following personal information was exposed to external parties:

Identity numbers
Contact details
Physical addresses
Account numbers
Absa did not state whether any other client information has been exposed in the breach, but said it may contact affected customers to validate potentially suspicious transactions going forward.

The precise number of affected customers remains unconfirmed, but Absa has referred to it as a “small portion” of its client base.

“As part of these monitoring measures, you might receive a phone call from us to validate potentially suspicious transactions to ensure heightened protection of your interest,” Absa said.

“Please note that we will never ask you to share your ‘keys to the safe’ (including your online banking PIN or password or your card CVV, PIN or one-time password) with us or to approve activities to prevent fraud.”

Stopping unauthorised debit orders
Absa said it has put measures in place to prevent and detect unauthorised debit orders on the accounts of affected clients.

“Be assured that we will contact you if we detect unauthorised debit orders on your account,” Absa said.

“Kindly note that we will never ask you to approve the reversal of unauthorised debit orders.”

The bank said it was constantly improving its defences against cybercrime and, as a result of this incident, it has further refined its controls and protection processes.

Employee leaked client data – Absa
Absa told MyBroadband that the data was exposed due to the actions of an employee who acted unlawfully.

“Absa advises that an employee has unlawfully made selected customer data available to a small number of external parties,” Absa said.

“The leaked data relates to a small portion of Absa South Africa’s customer base to date, although investigations continue.”

Absa said that upon discovering the contravention, it secured High Court orders that enabled search and seizure operations at various premises and secured all devices containing the data.

“The data on these devices was subsequently destroyed,” Absa said.

Absa has brought criminal charges against the employee and said that the requisite consequence management has been undertaken internally.

“Absa may take further action in relation to the recipients of the data once the full scope of the leak is identified and all investigations are completed,” Absa said.

“Absa has put in place additional control measures to minimize the risk of reoccurrence in future.”