Standard Bank confirms data breach of confidential client information

  • Thread starter Bianke Neethling
  • Start date
Suspected as much.
Too many confirmed targeted defrauding of old and not tech savvy people that did the rounds recently.
Intricate "call-centre" phone scam trying to stop attempted unauthorized transactions.
 
Why do these big SA corporates keep on employing criminals ? Seems that most of these breaches occur due to internal staff and not being "hacked" by external people.
 
Why do these big SA corporates keep on employing criminals ? Seems that most of these breaches occur due to internal staff and not being "hacked" by external people.

because of labour laws and .............
thanks anc ....

viva anc .......... viva .....................
 
Basically Standard Bank being Standard Bank. This shouldn't even make the news it's so expected from this monkeys a$$ bank
 
:unsure:

The bank further clarified that it does not keep or store information like client passwords and Pins, and such information was not impacted by this data incident.

Yes, they do; what else are usernames, passwords, and other codes, authenticated against? I think they meant that they don't store it unencrypted. That doesn't mean that it can be unencrypted, or exposed raw.

Neither is it about passwords and pins, this about the data being maliciously used to bring upon damages to their clients.

“If a client has not been contacted by the bank, they have not been impacted by this data incident.”

How would they know who is impacted and not impacted? Regardless, it is their appointed data controllers. IMHO, the client should know who is their data controller and who has been authenticated at any point in time to access the data. However, Standard Bank is making this incident look, they were the accountable party, and clients should hold them accountable.

Good on them dealing with the employee, but what are they going to do about the data shared with external parties? According to the bank in their own statement, they haven't been compromised, so why have a disciplinary process?

I don't like when any person, nor enterprise, speak in tongues.
 
What do they use? AES-256? Good luck.

Standard Bank believes that their encryption may be at risk. They will prompt all their users to renew their passwords/codes. It is not an incident that they can ignore. I only have my reservation on their statement that they don't store client passwords and pins.
 
Last edited:
MY account at Tymebank was hack and Tymebanks 2FA was bypass !!

It was a inside job at Tymebank and lost a hell lot of money !!
This story doesn't make sense. If their fraud department did not assist you, then what happened what you took the matter to the banking ombud or police?
 
:unsure:



Yes, they do; what else are usernames, passwords, and other codes, authenticated against? I think they meant that they don't store it unencrypted. That doesn't mean that it can be unencrypted, or exposed raw.

Neither is it about passwords and pins, this about the data being maliciously used to bring upon damages to their clients.



How would they know who is impacted and not impacted? Regardless, it is their appointed data controllers. IMHO, the client should know who is their data controller and who has been authenticated at any point in time to access the data. However, Standard Bank is making this incident look, they were the accountable party, and clients should hold them accountable.

Good on them dealing with the employee, but what are they going to do about the data shared with external parties? According to the bank in their own statement, they haven't been compromised, so why have a disciplinary process?

I don't like when any person, nor enterprise, speak in tongues.
The best practice is to never store passwords and pins, even AES 256 encrypted versions, but rather only a one-way salted hash of it. Using something like a SHA-256 hashing algorithm it is not possible to reverse the hash back to the original password, only by brute force which could take thousands of years per password. Super useful when people use the same password on multiple sites.
 
Yes, they do; what else are usernames, passwords, and other codes, authenticated against? I think they meant that they don't store it unencrypted. That doesn't mean that it can be unencrypted, or exposed raw.
It means that it's stored as a one way hash function. There's no way to get the password from the hash, you're only able to get it by guessing the password (so brute force). This is called SHA (secure hash algorithms).

You also have AES (advanced encryption standard) where it's data you need to be able to decrypt, for example your address. Usually you do this for stuff like backups. The unencrypted refers to this bit, as you can encrypt more sensitive fields like address if you don't use search for it (or are okay with it being slower as rare search).

Normal practice is any data leak you ask all users to update their passwords, just because if they do use brute force on your passwords, there's a chance some users have weak passwords, or they don't change it for years.
 
Top
Sign up to the MyBroadband newsletter