Postbank needs to replace 12 million bank cards at a cost of R1 billion after its “master key” was compromised, the Sunday Times reported.
Citing several internal Postbank reports, the Times found that the bank’s master key was stored in plaintext during a data centre migration in July 2018. Two staff members also stored the key in plaintext on USB flash drives and one of the drives can’t be located.
One of the internal reports cited in the article, an overview of financial crime, reportedly stated that Postbank found 25,000 fraudulent transactions between March 2018 and December 2019. R56 million was stolen.
The master key was generated in January 2018, according to the report.
The article described the master key as a 36-digit code which allows anyone to read and write account balances, and read and change information on any of the cards the bank has issued.
The Post Office denied that its master key for Postbank’s cards had been compromised, saying that the “stories” were unfounded and only seek to create panic among Postbank’s clients.
Postbank’s clients include millions of social security beneficiaries who receive grants from the government every month.
No audit trail
Referring to another internal report titled “Overall IT Security Register” from January 2020, the Sunday Times reported that the Postbank had no logging in place to trace fraudulent transactions.
Postbank was not able to audit when an account was accessed, who accessed it, and what was done on the account.
A spokesperson for the Post Office said that it is on record that “systematic difficulties” were uncovered with the “reconciliation functionality” of the integrated grant payments system, and that the issue has been resolved.
R42 million stolen from Postbank in 2012
This is not the first time information security problems at Postbank has resulted in money being stolen.
In 2012, a syndicate stole R42 million from Postbank in a heist that took place over the New Year holidays — between 1 January and 3 January.
The syndicate opened several Postbank accounts across South Africa towards the end of 2011, and over New Year’s they gained access to a Rustenburg Post Office employee’s computer. From there the syndicate made deposits from other accounts into its own.
Over the next three days, automated teller machines in Gauteng, Free State and KwaZulu-Natal were used to withdraw cash from the accounts.