Nedbank third-party service provider Computer Facilities was exploited to steal customer data
Nedbank, one of the largest financial institutions in South Africa, has announced a data breach on Thursday.[1] In the publicly published warning to the customers, the bank informed that its third-party service provider Computer Facilities (Pty) Ltd disclosed personal data of 1.7 million customers due to security issues on its system.
The marketing company Computer Facilities was used by Nedbank for promotional campaigns as well as SMS and email-based communications with clients. Because the third-party did not have any connections to systems employed at Nedbank, no sensitive information, such as login credentials or pins/passwords, were compromised.
Nedbank warns users that the following data might have been compromised by unknown attackers:
A subset of the potentially compromised data at Computer Facilities included personal information (names, ID numbers, telephone numbers, physical and/or email addresses) of some Nedbank clients.
No Nedbank systems or client bank accounts have been compromised in any manner whatsoever or are at risk as a result of this data issue at Computer Facilities (Pty) Ltd.
Nedbank Group is one of the biggest insurance, asset management, and wealth management financial institution which also runs its services in six other countries, including Lesotho, Malawi, Mozambique, Namibia, Swaziland, and Zimbabwe.[2]
Software vulnerability at Computer Facilities is to blame
Nedbank said that the data breach was discovered during a routine audit at Computer Facilities, which is a part of a continuous monitoring program. During a checkup, it was found that the service provider did not maintain the security of its systems correctly, as it was impacted by a vulnerability.
Computer Facilities was holding names, ID numbers, phone numbers, home addresses, and emails of 1.7 million bank’s customers, 1.1 million of which were still active. Computer Facilities did not have access to Nedbank’s systems, which prevented sensitive data leak.
As soon as the security hole was spotted by Nedbank representatives at Computer Facilities, all the information related to its customers was immediately contained and destroyed, as well as. As additional security and precautionary measure, all the machines were also disconnected from the internet “until further notice.” Nedbank also instructed the third-party service provider to inform its clients about the data breach.
Besides containing customer information, the bank also began working with relevant law enforcement agencies, as Nedbank Group Chief Information Officer Fred Swanepoel explains:
Our team of IT specialists and external cyber security experts have been working continuously with them since we became aware of this matter. Clients’ bank accounts have not been compromised in any manner whatsoever and clients have not suffered any financial loss. Nedbank remains vigilant in its efforts to contain cyber-crime
In the wake of a data breach, Nedbank asks customers to be vigilant
Upon discovery, Nedbank immediately started informing the impacted clients about the breach and sent out the following SMS:[3]
Dear Client, we regret that some of your personal information (name, ID, contacts) was potentially compromised at the premises of a third-party service provider we used for communications. We assure you your accounts & money are safe. Our systems, your passwords and pins were not affected in any way. Don’t share passwords and pins. No action required from your, remain vigilant. Queries: 0860 775 775, [email protected]
According to Nedbank, it shares some non-sensitive but personal information with third-parties in order to provide adequate services to clients. However, the company is also responsible for the data that it shares, and, in case of any leaks like this one, they are obliged to act immediately. Currently, Netbank’s IT specialists and third-party forensic experts are employed to investigate the incident, as it is yet unknown how precisely the attackers managed to breach Computer Facilities’ servers via the vulnerability.
Luckily, this ordeal is nowhere near as bad as Capital One bank’s breach,[4], but users should be aware that they might be targeted by scammers.[5] Nedbank also warns that customers might also receive a call from fraudsters that would pretend to be bank representatives, so it is extremely important to be vigilant and not provide any additional information via unsolicited calls or emails.