Nedbank client data compromised in security breach

Nedbank said on Thursday that a security breach at a third-party supplier has compromised the details of as many as 1.7 million of its clients.

In a statement, the bank said it has investigated a “data security issue” that occurred at the premises of a service provider, Computer Facilities, which is a direct marketing company that issues SMS and e-mail marketing information on behalf of Nedbank and other companies.

“A subset of the potentially compromised data at Computer Facilities included personal information — names, ID numbers, telephone numbers, physical and/or e-mail addresses — of some Nedbank clients,” it said. “No Nedbank systems or client bank accounts have been compromised in any manner whatsoever or are at risk as a result of this data issue at Computer Facilities.”

The bank it said identified the problem as part of its “routine and ongoing monitoring procedures”.

“Once we became aware of the issue, we engaged as a matter of urgency with the service provider and leading forensic experts to conduct an extensive investigation. We have moved swiftly to proactively secure and destroy all Nedbank client information held by Computer Facilities,” it said.

“Information from Nedbank Retail relating to approximately 1.7 million clients was potentially affected, of which 1.1 million are active clients.”

This incident is isolated to the third-party service provider’s systems, Nedbank said. As a further precautionary measure, Computer Facilities’ systems have been disconnected from the Internet.

‘Top priority’

“We regret the incident … and the matter is receiving our urgent attention,” said Nedbank CEO Mike Brown. “The safety and security of our clients’ information is a top priority. We take our responsibility to protect our client information seriously and our immediate focus has been on securing all Nedbank client data at Computer Facilities, which we have done.”

The bank is communicating directly with affected clients and “taking the necessary actions in close cooperation with the relevant regulators and authorities”, Brown said.

Nedbank CIO Fred Swanepoel said Computer Facilities did not have any links to the bank’s systems. “Our team of IT specialists and external cybersecurity experts has been working continuously with them since we became aware of this matter. Clients’ bank accounts have not been compromised in any manner whatsoever and clients have not suffered any financial loss.”

Clients’ bank accounts are not at risk and they do not need to take any further action other than continuing to be vigilant against attempts at fraud, Nedbank emphasised.

The bank became aware of the incident late last week. It then took “immediate action by proactively securing and destroying all client information at the third-party service provider”.

“We immediately started an investigation and, as soon as we had verified the data, we started communicating to our affected clients,” it added.

“Clients’ bank accounts have not been compromised in any manner whatsoever as a result of this incident. For your account to have been compromised, any fraudster would need additional information that was not present or not available from the data vulnerability.”

Information that was compromised includes ID numbers, names and addresses. “Our forensics and IT specialists supported by external experts are working closely with the third-party service provider and the authorities to fully understand how the (system) was infiltrated.”

It said clients who have not received communication from Nedbank within three working days “can be assured” that their information was not compromised.  — © 2020 NewsCentral Media