Absa data leak: Details emerge of how rogue employee sold client data

An Absa employee accused of leaking some of the bank’s South African customer data to third parties provided the information, which included client ID numbers, bank account numbers, credit card numbers and mobile phone numbers, to several third parties in return for payment.

Respond to questions from TechCentral on Tuesday, the bank said the information shared specifically does not include passwords or Pin codes. However, Absa said it is worried fraudsters could still try and take advantage of the situation.

Absa said in a statement on Monday evening that the employee — whom it has not named — “unlawfully made selected customer data available to a small number of external parties”. It has laid criminal charges against the employee.

“The leaked data relates to a small portion of Absa South Africa’s customer base, although investigations continue.”

When it discovered the contravention, the bank secured high court orders allowing search-and-seizure operations at various premises and secured “all devices” containing the leaked data.

TechCentral’s questions to Absa, and the bank’s answers, follow in full.

What specific client information was leaked?
The types of data that was shared includes, for example, names and surnames, identity numbers, physical addresses, bank account and/or credit card numbers, mobile contact numbers, and vehicle details. The data that was shared does not include passwords or Pin codes. In some cases it was, for example, the ID numbers and phone numbers of some customers that were shared; in other cases, it was the vehicle financing details, etc. So, it was a mixture.

How many client records were leaked?
We have not completed the investigation, so we would not want to provide a definitive number at this stage. What we can confirm is that, so far, only a fraction of Absa’s customers in South Africa have been affected by the leak.

Given that Absa said it has enhanced the monitoring of affected clients’ accounts, does this mean Absa is concerned that the information leaked can be used to compromise accounts? If so, how?
The data alone does not give third parties direct access to the money in customers’ accounts. Pins and passwords were not shared as part of the leak. However, fraudsters are always on the lookout for opportunities.

What was the motive of the employee who leaked this information? Was the information provided to the third parties in return for a financial reward?
At least in some instances, it is apparent that selected data was sold to third parties.

What does Absa know about the third parties who received the information? How many third parties are there? And are they believed to be malicious actors?
At this stage, it is a handful of external parties, but we will be able to provide a definitive number only once our investigations have been completed.

We have taken legal steps pertaining to the parties that received data and may still take further steps. It would not be appropriate, therefore, to share the identity or details of the companies or individuals involved at this stage as it may compromise the success of the legal avenues that will be exercised.

When did Absa first discover the leak and what prompted it to go to court?
A whistle-blowing report was issued to the chief security office on 26 October. Had we communicated to customers immediately, we may have jeopardised search-and-seizure operations in the process, as there was a risk that the parties involved would become aware that we had knowledge of the issue.

Absa approached the court to determine the nature of the data shared and recipients and to secure orders for search-and-seizure operations. The court orders allowed for the authorised search of premises and devices of the parties who unlawfully acquired the data, which we have subsequently destroyed.

Which regulators has Absa reported the leak to and what has been the response of those regulators to date?
Absa reported the matter to the Information Regulator, the Prudential Authority and the Financial Sector Conduct Authority. We are fully cooperating with these regulators. It would not be appropriate for Absa to comment on their response.

What rules, processes or systems is Absa able to put in place to prevent this sort of incident in future?
Absa takes the protection of personal data extremely seriously and has taken proactive steps to mitigate the risk of customer data being misused as well as taking steps to address the internal processes that enabled the employee to share the data.

We have reviewed our controls and processes, in light of this leak, to further strengthen our defences and reduce the risk of an incident like this from re-occurring. — (c) 2020 NewsCentral Media