South African banks have sent out security advisories to their customers following a significant data breach at Experian South Africa.
Experian is a consumer, business, and credit information services agency, whose major clients include several South African banks.
The breach exposed the personal information of as many as 24 million South Africans and 793,749 business entities.
“Banks and SABRIC have also been cooperating with Experian in their efforts to secure the data and ensure the perpetrators are brought to book,” the South African Banking Risk Information Centre (SABRIC) said in a statement on the incident.
Following the disclosure of the incident, a number of major South African banks have issued statements to customers advising them of the nature of the breach.
The nature of the data that was compromised lends itself to potential use in identity theft attacks, and may include the following:
- First and last names
- ID numbers
- Telephone numbers
- Physical adresses
- Email addresses
Experian South Africa released a statement regarding the data breach yesterday, assuring customers that no financial data was compromised.
“Our investigations indicate that an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian,” the company said.
“We have identified the suspect and confirm that Experian South Africa was successful in obtaining and executing an Anton Piller order which resulted in the individual’s hardware being impounded and the misappropriated data being secured and deleted.”
South African banks have warned their clients to exercise caution following this data breach, with some warning customers to change their online and app-based banking passwords as a precaution.
Statements sent by Standard Bank, FNB, Absa, and Nedbank to their clients are below.
Standard Bank acknowledged that it was affected by the data breach, which resulted in some of its customer demographic information being obtained fraudulently.
“The information that has been compromised includes ID number, residential and physical addresses and contact details,” it said.
“As Standard Bank, we have proactively stepped up our authentication processes and our fraud prevention and detection strategies to protect our clients.”
“As our measures are security-sensitive, we are unfortunately not able to divulge more details, and the fact that an investigation into the matter is currently underway,” the bank said.
It also urged its clients to take the following steps:
- Change banking passwords on our digital banking platforms and social media passwords.
- Register for DigiMe on the Standard Bank App Register for MyUpdates (free Standard bank SMS service) to be notified of all transactions over R100 on your accounts.
- Contact the bank or your relationship manager immediately if you suspect your bank accounts or cards have been compromised.
- Do not share your personal details, banking details or one-time pin with anyone.
- Register with SAFPS for protective registration – if anyone tries to apply for banking products with your ID, it will be declined or referred for further review.
“Understandably, concerned clients will want to know how their personal and business information was shared with Experian,” the bank said.
“As a bank, we are required to submit to – and obtain data from – the credit bureaus. This is stipulated in the National Credit Act which requires a credit provider to check a consumer’s debt agreement history.”
“Credit bureaus receive information from all creditors, as well as information from public records, such as property, court and ‘CIPC’ (Companies and Intellectual Property Commission) records,” it said.
Standard Bank said it was treating this issue with the utmost priority and attention and is working with Experian South Africa and SABRIC.
FNB has issued a statement advising its customers to be vigilant of identity theft attempts in the wake of the data breach.
“FNB has been made aware that business and credit information services agency, Experian has experienced a data breach,” the bank said.
“We are working with The South African Banking Risk Information Centre (SABRIC), The Banking Association of South Africa (BASA), law enforcement and regulatory authorities to mitigate any potential risks on our customers as a result of the incident.”
It advised customers to follow its recommended security precautions, which include the following:
- It is vitally important that you never give your Online Banking username and/or password to anyone.
- Never give your One Time PIN (OTP) to anyone.
- Never click on links in emails claiming to be from FNB.
- Never save your passwords to your browsers.
“The Bank is communicating directly to customers who may have been impacted from a banking perspective,” it said.
“The protection of our customers’ banking information is our utmost priority.”
Absa said it was informed by Experian of the data breach and is engaging all of its impacted customers.
“Experian is one of South Africa’s largest credit bureaus,” Absa said.
“Financial institutions use bureau information to assess clients’ credit status and debt commitments when applying for credit.”
“Absa takes the protection of your personal information extremely seriously and we have engaged with Experian to better understand what occurred and the steps they have taken to mitigate the impact,” the bank said.
Absa said it has heightened the monitoring of its customer portfolio and will engage customers should it detect any suspicious activity.
“We urge you to contact us immediately on our Fraud Hotline (0860 557 557) should you notice any suspicious behaviour or if in doubt.”
Criminals will approach unsuspecting consumers via email, phone, or text message and present themselves as members of a reputable organisation, Absa said.
“They will attempt to deceive unsuspecting consumers into disclosing their ‘keys to the safe’ (online PIN, online passwords, card PIN, card CVV number, OTP, and/or authentication messages – RVN/TVN/SureCheck).”
“Never share these details with anyone and report suspicious behaviour immediately,” Absa said.
“We have been advised that Experian SA, a credit bureau, has shared personal information with a third party pretending to be a legitimate customer of Experian,” the bank said.
“The information shared includes names, ID numbers, telephone numbers, physical and/or email addresses.”
“Your bank accounts are not at risk,” it said.
The bank added that personal information can create opportunities for criminals to impersonate you but does not guarantee access to your banking profile or accounts – unless you disclose confidential banking details to them.
Clients from all banks, among other credit providers, are impacted by this data breach as it is a credit industry requirement for credit providers to share this information with credit bureaus.
The bank provided the following tips for how to be safe:
- Never share your passwords or PIN with anyone.
- Never disclose your personal information to anyone who calls you, emails you, or SMSs you. Remember Nedbank will never contact you asking for this information.
- Contact Nedbank immediately should you suspect unauthorised use of your personal information.
“The safety and security of your information is a top priority,” Nedbank said.
“We will continue to monitor suspicious activity on client accounts.”
Investec acknowledged the data breach and said that Experian successfully obtained and executed an Anton Piller order which resulted in the perpetrator’s hardware being impounded and the misappropriated data being deleted.
“The investigating authorities shared with us the data that was affected,” Investec said. “We have been advised that most of the data shared are data available on the CIPC database.”
“If you suspect that your business’ identity has been compromised, contact your bank and credit card issuers and any other credit providers with whom your business may have credit facilities.”
Investec said clients should also contact the fraud department at credit information services agencies to place a fraud alert on their accounts.
Banks have been cooperating with Experian to secure the data and ensure the perpetrators are identified and prosecuted, the company said.
“Investec takes the security of our client data very seriously and we have ongoing strategies in place to detect potential fraud.”