Last week Nedbank announced that it has discovered a security breach at Computer Services Ltd, a third-party service provider which issues SMS and email marketing on behalf of the bank.
This security breach compromised the personal information of Nedbank clients, including names, ID numbers, telephone numbers, physical addresses, and email addresses.
Nedbank said the security breach was discovered during a routine monitoring procedure. Once the bank became aware of it, it immediately conducted an extensive investigation.
1.7 million clients were affected by this security issue, with 1.1 million of those clients being active.
“We have moved swiftly to proactively secure and destroy all Nedbank client information held by Computer Facilities,” Nedbank said.
Nedbank said the incident was isolated to Computer Facilities’ systems, which it has disconnected from the Internet until further notice as a precautionary measure.
Nedbank CEO Mike Brown shares details
Nedbank CEO Mike Brown said in a CNBC Africa interview that the data breach was first discovered two weeks ago.
“We have done everything in our power to contain the incident. We have been on the premises of the supplier, deleted all the Nedbank data and they shut them off the Internet,” he said.
Brown said they currently assume that all the data which Nedbank sent to Computer Facilities over time has been compromised.
While this data was sent to Computer Services in an encrypted format, it currently looks like it was stored in plain text.
He highlighted that none of Nedbank’s systems was compromised, meaning no bank account numbers, PINs or passwords were leaked.
Nedbank also uploaded information related to the incident into its fraud database, which will alert the bank to any unusual levels of activity on these accounts.
What this data could be used for
Names, ID numbers, telephone numbers, physical addresses, and email addresses can be powerful tools in the hands of cybercriminals.
Brown said in other scenarios where this data has been exposed, criminals have used it to launch social engineering attacks against banking clients.
In these targeted attacks, criminals try to get other data from banking clients like their bank account number, PIN, or password by calling them and pretending to be from Nedbank.
Brown urged clients to be vigilant and never give sensitive information like their banking details to people who phone them.
He advised clients who see suspicious activity or have concerns to contact the bank via email [email protected] or call 0860 777 5775.
MyBroadband tested the “[email protected]” email address promoted by Brown.
While the bank responded quickly, the consultant did not answer any of the questions asked. Instead, he simply reiterated the statement sent out by Nedbank previously.
Computer Facilities is a direct marketing company based in Randburg which focuses on data, marketing, and development.
It describes itself as a “data-driven direct communications centre with a highly successful track record in excess of thirty years”.
The company said it used various marketing tools to “communicate to the right client at the right time through the right channels”.
Computer Facilities added that it adheres to the strict laws laid down in the Protection of Personal Information Act (POPI) and the Consumer Protection Act (CPA).
The company is a B-BBEE Level 1 contributor, which may be why it is an attractive supplier to large corporate clients like Nedbank.
MyBroadband asked Computer Facilities about the data breach and whether the data was stored in encrypted format, but the company did not respond by the time of publication.
How Computer Facilities was selected by Nedbank
Brown said they have agreements with suppliers like Computer Facilities to ensure they adhere to all standards necessary.
He said the bank also does due diligence on all their suppliers to test their systems and make sure they comply with the needed security protocols.
Brown admitted that their systems failed in this case, which resulted in their clients’ data being compromised.
“We need to be better in how we monitor and control the use of our data in the third-party environment,” he said.
“Even if our contracts require suppliers to store the data in an encrypted form, we need to be sure that it is always kept in that form,” he said.
He said the investigation into the cause and extent of the data breach is ongoing, after which Nedbank will assess what the appropriate way forward is regarding its relationship with Computer Facilities.
The Nedbank CEO, however, does not anticipate legal action because of the incident. This, he said, is thanks to the effective way in which Nedbank has handled the situation.
“We think the way we acted and reacted to this is in line with what will come from a legal point of view,” he said.
“The legal framework in South Africa will be POPI. We think we have done everything required if POPI was effective,” he said.