Absa says 'some sensitive customer information' stolen by employee

Ford Credit customers have also been affected by the data breach

01 December 2020 - 15:58 By Warren Thompson and Tanya Farber
The Absa Group headquarters in Johannesburg.
The Absa Group headquarters in Johannesburg.

Banking group Absa is pressing criminal charges against an employee who has subsequently been suspended for illegally accessing and sharing customer information with third parties, the bank said on Tuesday.

The development came to light following an article published in the Business Insider on Tuesday that reported the bank had been  contacting clients to tell them that some of their information had been compromised.

In response to e-mailed questions, the group declined to provide any information on the quantum of the leak “as the investigation is ongoing”. It instead stuck by its description of “a very small portion” of its customer base when referring to how many customer accounts were compromised.

Absa did confirm that some of the data unlawfully shared included sensitive information, as well as a mix of more marketing-orientated data, BusinessLIVE reported.

“The types of data shared includes, for example, names and surnames, ID numbers, physical addresses, bank account and/or credit card numbers, mobile contact numbers and vehicle details. It does not include passwords or PIN codes,” the bank said.

Absa has enhanced the monitoring of customer accounts that have been affected to date, and are contacting customers directly,” it said.

It is understood that the employee did not breach the bank’s systems to obtain the information, but instead abused their position to access the data and provided it to third parties.

On discovering the breach in late October, Absa suspended the employee and sought and obtained court orders to seize the employee’s devices. All customer information found on the employee’s devices has been destroyed.

This comes a few months after data pertaining to millions of customers, some of which included bank accounts, were fraudulently obtained from credit bureau Experian.

It also emerged on Tuesday that Ford Credit customers had fallen victim to the leak. They were warned that their ID numbers, vehicle descriptions, cellphone numbers and addresses were part of the leak.

Affected customers were sent a message from Ford that read: “We are reaching out to affected individuals and can assure you that we have taken measures to protect your financial interests. We believe this information was intended for telemarketing purposes and have refined our internal controls to reduce the risk of a leak recurring.”

Ford Credit declined to comment and referred questions to Absa, which replied with an e-mailed statement that confirmed that the leak included “a small portion of data from the joint venture between Absa and Ford Credit SA”.

Upon discovering the contravention, Absa said it “secured high court orders that enabled search and seizure operations at various premises and secured all devices containing the data”. 

Criminal charges have been brought against the employee, and Absa “may take further action in relation to the recipients of the data once the full scope of the leak is identified and all investigations are completed”.