subscribe Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
Subscribe now
Rand notes. Picture: THINKSTOCK
Rand notes. Picture: THINKSTOCK

It wasn’t the e-mail subject line that grabbed my attention. "Security breaches in our banking system" is the conclusion many victims of bank fraud come to because that’s easier to cope with than the thought that they unwittingly gave a fraudster access to their bank accounts.

It was the content of the Sandton-based transport company owner’s e-mail that did.

"I am a business customer for more than 10 years of a bank in South Africa," he wrote. "I have access to millions in a large corporation’s account, which was given to me by mistake. I would like to discuss the case with you via my attorney."

Legally, keeping money you know is not yours is theft and the court case that got millions of South Africans talking about this issue is that of university student Sibongile Mani, who went on an R800,000 spending spree after the National Student Financial Aid Scheme mistakenly added a few zeros to her payment and popped R14m into her account.

She was sentenced to five years in jail, but has been granted leave to appeal.

Every time a development in the Mani case creates headlines and social media commentary, it’s clear many South Africans see nothing wrong in helping themselves to money that lands in their bank accounts, whether it was intended for them or not.

Tonsi’s X post sums up their thinking: "It’s in my bank account, meaning it’s now mine; I will spend it! Hawu."

The 30-something Sandton businessman’s experience created the same moral dilemma, but what sets it apart is that he didn’t get a mysterious deposit in his account.

Instead, one day, towards the end of 2020, when Covid was having a crippling effect on his business and he was deep in debt — to Standard Bank — he accessed his accounts at an ATM and discovered an
extra one was on the list — a money-market account belonging to a major multinational. With a balance running into the millions.

Even more intriguing in the days, weeks, months and years — yes, years — that followed was he was able to witness money moving into and out of that account, meaning the company still had access to it.

Unbeknown to them, so did my interlocutor in Johannesburg. He had looked at, but not touched it, despite overwhelming temptation, for two years. In December last year he decided to approach Standard Bank via a lawyer, advocate Douglas Shaw.

"I wanted them to know what a massive mistake they had made and show them what I could have done," he said.

And yes, he wanted the bank to pay him for pointing out its blunder and giving the financial institution the opportunity to fix it to protect their multinational client — and check if other clients were in the same position.

"If they managed to link that company’s account to my profile, how many others?" he asked. A reasonable question.

He’d also become tired of living with the burden of that huge secret and the temptation that went with it. Only his wife knew about his access to that money.

"I once worked for a bank," he told me. "I’d figured out a way to get my hands on millions of that money and disappear. But I couldn’t go through with it and it was stressing me out; affecting my health."

When Shaw became involved, the
bank brought in the legal big guns, internal and external, and so began months of discussions.

The businessman asked for R6m to reveal his name, which would lead them to his account and that unfortunate linkage.

Unsurprisingly, he was accused of extortion and there was no counter offer. Presumably the bank thought he had no business wanting to be rewarded for not committing a crime, and there’s merit in that argument.

Perhaps some "goodwill" offer would have been appropriate, given he alerted the bank to a problem with potentially disastrous consequences, which would undoubtedly have put the institution in a compromised position.

But it was not to be.

The saga ended as it had begun — by accident. The businessman’s details were revealed to the bank by mistake and a few days later — last week — that big money market account disappeared from his profile.

I asked Standard Bank how the blunder had occurred and had not been detected for so long. How many other such cases have been identified, I asked, and have they all been remedied?

Responding, the bank was at pains to point out that it "takes data privacy extremely seriously and goes to great lengths to secure and protect its data and that of its clients".

On being informed by Shaw of the "alleged data compromise on behalf of his undisclosed client", the bank had arranged a meeting with him to establish the facts.

"[If] a data security compromise had occurred that would require a report being submitted to the Information Regulator, the impacted client being informed, and steps being taken to ensure that the incident is contained and remedied fully from an information security perspective," the bank said.

"[We] notified the Information Regulator of the matter on a precautionary basis."

Investigating the matter proved difficult, the bank said, as its attorneys were not provided with the details required.

"Now that the bank has gained the required information," it said, its investigation had progressed and it was
still under way.

"The bank can confirm that it has contained this particular incident and that any impacted parties have been notified. This was an isolated incident and no other customers have been impacted."

Shaw said the "great surprise" was
that Standard Bank did not have a whistleblower programme, "where they reward people who find security flaws in their system".

"They did not appear worried that their system had given my client access to millions of rands of a major client’s funds. After six months of knowing of the problem, my client still had access," he said.

"I am not convinced by Standard Bank’s reassurances. Their trustworthiness has been put in question by this unbelievably lax security breach."

Meanwhile, the businessman is left with photos and video footage as evidence that he somehow had access to all those millions for two-and-a-half years.

• Contact Knowler for advice with your consumer issues via e-mail at or on Twitter @wendyknowler

subscribe Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
Subscribe now

Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.

Speech Bubbles

Please read our Comment Policy before commenting.