Nedbank data breach may leave victims open to fraudulent attacks, say experts
The breach took place at the premises of Computer Facilities, a direct marketing company that issues SMS and e-mail marketing information on behalf of the bank
Nedbank customers breathed a sigh of relief on hearing that their bank account numbers weren't compromised when one of the bank's service providers suffered a data breach last month. But their complacency may cost them dearly.
Other personal information belonging to the 1.7-million affected consumers (1.1-million of which are active Nedbank customers) was compromised: full names, identity numbers, physical and/or e-mail addresses and phone numbers.
The breach took place at the premises of Computer Facilities, a direct marketing company that issues SMS and e-mail marketing information on behalf of the bank.
"No Nedbank systems or client bank accounts have been compromised in any manner whatsoever or are at risk as a result of this data issue, identified . as part of our routine and ongoing monitoring procedures," the bank said in a statement.
Your personal information is gold to fraudsters in social engineering attacks such as phishing, vishing and false application fraud. In the latter, fraudsters use the information to pose as you and apply for a replacement card or for credit in your name.
Lucien Pierce, a Johannesburg-based lawyer who specialises in information security, said your personal information is like pieces of a puzzle which form your profile.
"The Nedbank breach is a big deal because criminals can now use this information to access other information which they would not otherwise have been able to do. This leak can assist them in building a profile on you to use in nefarious ways," Pierce said. They could use social engineering to trick you into parting with additional information to defraud you.
Pierce saidin the US, where there have been breaches of sensitive information, there have been settlements between people whose data was compromised and the entity holding the data in which each affected person is paid a sum of money and given one year of free credit monitoring. "Why would you offer that if there were not such serious consequences of information breached in this way?"
Digital thieves stole $14.4bn (about R220bn) from US consumers in 2018, according to Javelin's 2019 identity fraud study. Similar information is not available in SA, with the Protection of Personal Information Act (Popia), not yet in force.
If Popia was in place, Pierce said, Nedbank would have been fined because the act imposes a "strict liability" on the party responsible for protecting your information. "There may have been mitigating circumstances, if the compromise was detected during routine auditing, in which case the penalty may be a slap on the wrist."
Advocate Johannes Weapond, a full-time member of the Information Regulator, said that if Popia was in full force, when considering a penalty or fine "the regulator would either have to establish or make a determination on whether the bank has put reasonable measures in place to prevent a data security breach. Each breach would have to be assessed on a case-by-case basis".
He said the regulator had not yet instructed Nedbank to take any remedial action and had not yet received the forensic report to enable it to make a determination on the exposure. The chair of the regulator, advocate Pansy Tlakula, has reportedly sent a request to President Cyril Ramaphosa to declare that the remaining provisions of the Popia commence on April 1.
After this, companies will have 12 months to get their systems and processes in compliance with the act.
Thereafter, companies that collect, process, store and share your personal information will be held accountable if your data is accessed. Lack of compliance can lead to fines of up to R10m and a jail sentence of up to 10 years.
Anna Isaac, Nedbank's group chief compliance officer, told Money the bank was not legally obliged to notify the Information Regulator but chose to do so in the spirit of co-operation.
She said the bank requires its service providers to comply with the relevant privacy laws and regulations, including Popia although it is not yet in force.
Nedbank had contacted affected clients and they do not need to take any further action other than continuing to be vigilant against attempts at fraud, Isaac said. In doing so, they should:
• Contact Nedbank immediately should they suspect unauthorised use of their personal information;
• Not share passwords or PINs with anyone;
• Not disclose personal information to anyone via phone, e-mail or SMS. "Nedbank will never contact clients asking for this information," she says.
As an extra precaution, clients can list their details on the South African Fraud Prevention Services database, which provides additional protection against identity theft. To be registered, clients should contact 0860 775 775 or DataProtection@Nedbank.co.za.
Kriben Reddy, the head of consumer business at TransUnion, said data breached currently costs companies in lost business as they experience abnormal customer churn following a breach. "The cost of a data breach in SA was on average R42m per breach in 2019, up from R37m in 2018."