Serious data breach rocks Absa Group
By Dineo Faku
JOHANNESBURG - BANKING group Absa yesterday said that it had been rocked by a data leak after an employee stole personal information of some of the group’s clients, underscoring the need for the tightening of controls to protect the sensitive particulars of bank customers.
Absa said that the employee had unlawfully made selected customer data available to a small number of external parties.
It said the leaked data related to a small portion of Absa South Africa’s customer base, although investigations continued.
“Upon discovering the contravention, Absa secured high court orders that enabled search and seizure operations at various premises and secured all devices containing the data. The data on these devices was subsequently destroyed,” said Absa.
Absa notified its clients that the employee shared details, including identity numbers, addresses, contact details and vehicle description financed, of a limited number of clients with parties outside the bank.
“Based on our investigation we have reason to believe that the data was intended for telemarketing purposes,” Absa said, adding that it had brought criminal charges against the employee, and internally the requisite consequence management had been undertaken.
“Absa may take further action in relation to the recipients of the data once the full scope of the leak is identified and all investigations are completed,” said the bank.
IT services analyst at Johannesburg-based Africa Analysis, Derrick Chikanga, said the breach highlighted the insider threats that were presented by company employees with regards to data leaks.
Chikanga said internal employees were the most difficult to tackle when it comes to cyber threats.
“This is because they have access to privileged information with regards to a bank’s internal processes,” Chikanga said. “As such, employees present one of the biggest threats to organisations’ data security.”
Absa said it took the protection of personal data extremely seriously and had taken proactive steps to address the potential risk to our customers.
It said it maintained a comprehensive set of controls and processes to protect data and was constantly improving them to ensure that it adapted to the evolving techniques used by criminals to bypass its systems.
“We have already refined our controls and processes, in light of this compromise, to further strengthen our defences and reduce the risk of an incident like this from re-occurring,” said the group.
In May, personal details of 24 million South Africans were stolen from the credit bureau Experian, which collects credit information about consumers from banks, retailers, and other parties.
Chikanga said banks should ensure that some of the most sensitive client information was only accessible to senior employees within the organisation.
He said South Africa was generally one of the most vulnerable countries to cyber-attacks.
“This is not just related to the banking sector, but cuts across both the public and private sector,” he said.
Absa shares rose 0.19 percent on the JSE yesterday to close at R110.41.