Rogue Absa employee explains data leak

Investigation reveals how an Absa employee sold client data.

An Absa employee accused of leaking some of the bank’s South African customer data to third parties said they had “unlawfully made selected customer data available to a small number of external parties”.

The apparent motive was a financial reward.

TechCentral reports that information leaked included names and surnames, identity numbers, physical addresses, bank account and/or credit card numbers, mobile contact numbers, and vehicle details. The bank clarified that passwords or PIN codes were not part of the sold data, but was concerned that fraudsters could still try and take advantage of the situation.

Absa first discovered the leak when a whistle-blowing report was issued to the chief security office on 26 October. Absa then approached the court to determine the nature of the data shared and the recipients thereof, and to secure orders for search-and-seizure operations. The court orders allowed for the authorised search of premises and devices of the parties who unlawfully acquired the data. The bank has since laid criminal charges against the employee who sold the data.

Absa says it is taking steps to address the internal processes that enabled the employee to share the data, as well as proactive steps to mitigate the risk of customer data being misused. The bank has reported the matter to the Information Regulator, the Prudential Authority and the Financial Sector Conduct Authority.