Ford Credit customers affected by Absa data leak

Read time 3min 40sec

An ongoing investigation into the Absa data leak that took place in November has revealed that an additional number of customers belonging to Absa and Ford Credit had been affected in the incident.

The big four bank suffered a data leak last year, which it initially said had impacted a total of 209 000 customers – approximately 2% of its total local client base. The data leak occurred when an employee unlawfully made selected customer data available to a “small number” of external parties, to whom data was sold for personal financial gain.

It has since emerged that an additional undisclosed number of local customers had been affected and the total percentage of affected customers has increased.

Absa has a joint venture with automaker Ford SA’s financing solutions arm, Ford Credit. Through the partnership, the bank offers credit solutions to customers buying Ford vehicles. According to the bank, a portion of these customers were affected and it is in the process of informing them.

“Ongoing investigations into the leak revealed that selected data relating to an additional group of customers in SA had been exposed to the third-parties,” says an Absa spokesperson in a statement sent to ITWeb.

“These investigations have found that more customers’ data had been leaked by the employee (Absa customers and a portion of customers from the joint venture between Absa and Ford Credit in South Africa). We are currently notifying additionally-affected customers via e-mail, letters and/or SMS.”

A mixture of data was leaked – in some cases, for example, a customer’s name, surname, identity number, physical addresses and bank account details were shared.

The investigation, which includes a number of confidential legal processes, remains under way to ensure the full scope of the incident is uncovered and addressed, notes the bank.

The bank previously told ITWeb that the employee who leaked customer data had since been dismissed and faces criminal charges.

While the bank is not able to provide more details on how the former employee gained access to confidential customer data, it notes that upon discovering the contravention, it secured High Court orders that enabled search and seizure operations at various premises and secured all devices containing the data, which was subsequently destroyed, and all affected customers were notified in November.

“A criminal case was reported to the South African Police Service and all implicated parties are being investigated by the SAPS. We are collaborating with the South African Banking Risk Information Centre (Sabric) to ensure investigations are comprehensive. Absa commissioned an independent review of all our controls and processes associated with data protection,” says the bank.

“Sabric is providing support to Absa, its members and law enforcement by facilitating access to critical information, to assist them in detecting, preventing and investigating this matter,” says Sabric CEO Nischal Mewalall.

“A key focus of Sabric is to ensure the banking industry can respond swiftly, effectively and appropriately, not only to protect its customers against fraud and theft, but also to investigate the suspected perpetrators.”

Responding to ITWeb’s questions sent via e-mail, Ford Credit says it maintains comprehensive controls and processes to protect customer data to ensure it adapts to the evolving techniques used by criminals to bypass them.

“Ford Credit has already refined its controls and processes in light of this compromise, to further strengthen its defences and reduce the risk of a future incident.

“As an additional safety measure, Ford Credit has arranged for customers to have access to a secure credit profile check free of charge for 12 months. The service allows customers to receive alerts if anything changes on their credit report, enabling them to identify any unauthorised changes and take immediate action,” says Ford Credit.

According to experts, since the onset of the COVID-19 pandemic, data breaches and leaks have escalated.

Last year, several local companies suffered cyber attacks on their systems, including credit bureau Experian, construction group Stefanutti Stocks, Lombard Insurance and Momentum Metropolitan.

See also