Absa fires, lays criminal charges against data leak employee

Read time 2min 40sec

Absa says it has dismissed and laid criminal charges against an employee who is accused of exposing customer data to external parties, in a data leak that took place last year.

The big four bank suffered a data leak in November, when the now former employee unlawfully made selected customer data available to external parties.

In an e-mail interview with ITWeb, the bank confirmed investigations into the data leak revealed a total of 209 000 customers were affected by the leak, which is approximately 2% of its total local client base. It also emerged that the former employee had sold the customer data to a “small number” of third-parties for personal financial gain.

“The investigation, which includes a number of confidential legal processes, remains under way to ensure the full scope of the incident is uncovered and addressed. A mixture of data was leaked – in some cases, for example, a customer’s name, surname, identity number, physical addresses and bank account details were shared.

“In other cases, for example, a customer’s name, surname, contact numbers and vehicle details were shared. The data that was shared does not include passwords or PIN codes. We have taken further steps, including dismissing the employee, who was initially suspended,” says Sandro Bucchianeri, Absa Group chief security officer.

While the bank is not able to provide more details on how the former employee gained access to confidential customer data, it notes that upon discovering the contravention, it secured High Court orders that enabled search and seizure operations at various premises and secured all devices containing the data.

The data on the devices was subsequently destroyed and all affected customers were notified in November, it says.

Sandro Bucchianeri, Absa Group chief security officer.
Sandro Bucchianeri, Absa Group chief security officer.

“Absa takes the protection of personal data extremely seriously and we have taken proactive steps to mitigate the risk of customer data being misused, as well as taking steps to address the internal processes that enabled the employee to share the data,” notes Bucchianeri.

“We have reviewed our controls and processes, in light of this leak, to further strengthen our defences and reduce the risk of an incident like this from re-occurring.”

COVID-19 has created new opportunities for cyber attackers, with security experts warning of an increase in advanced attacks exploiting the global health crisis.

According to a report compiled by Atlas VPN, the number of leaked data records exposed globally reached 36.1 billion in the first three quarters of 2020 – more than double the number of records leaked in the entire 2019.

Last year, several local companies suffered cyber attacks on their systems, including credit bureau Experian, Absa Bank, construction group Stefanutti Stocks, Lombard Insurance and Momentum Metropolitan.

Experian confirmed at the time that it experienced a breach of data which exposed the personal information of as many as 24 million South African bank customers and 793 749 business entities to a suspected fraudster.

See also