Nedbank, one of South Africa's top 5 banks, has said that it does not know specifically which of its customers were affected by a data breach that has been reported to have happened at one of its suppliers. This was revealed by a Nedbank spokesperson when answering questions from iAfrikan about the data breach which is said to have possibly affected 1,7 million of Nedbank's customers.
On 13 February 2020 Nedbank issued a statement saying that they identified a data security incident at one of its suppliers, Computer Facilities (a direct marketing company which sends e-mails and SMS' to Nedbank customers on the bank's behalf), and this was discovered as part of its ongoing monitoring procedures.
"At this momemt (sic) we can not (sic) confirm who or which customers have been affected by data breach. We share some non-sensitive information to provide you with the best services. Personal information of Nedbank clients was compromised. Names, ID numbers, physical addresses, phone numbers and/or email addresses were at risk. Our forensics and IT specialists supported by external experts are working closely with the third-party service provider and the authorities to fully understand how the third-party services provider was infiltrated and to make sure that something of this nature never happens again," reads a statement Nedbank set to iAfrikan.
Data breaches and identity theft in South Africa
Although no clear link of causation has been proven between data breaches and identity theft scams and crimes in South Africa, there is however definitely some correlation.
Over the past decade, South Africa has witnessed a rise in data leaks and data breaches. This was also highlighted during a cybersecurity get-together held in Johannesburg earlier in February 2020 where Cybereason's Roberta Arico mentioned that "South Africa is the second most likely country in the world to experience data breaches." These data breaches over the past decade include once such Ster-Kinekor, the "masterdeeds" breach, as well as the Viewfines traffic fines data breach.
The rise in large-scale data breaches in South Africa over the years is in correlation with statistics published on identity fraud by the Southern African Fraud Prevention Services (SAFPS). According to data from SAFPS, an organization that is in the business of combating fraud across the financial services industry, identity theft crimes in which fraudsters used real ID documents and names for impersonation increased by 99% in comparison to 2018.
Protection of Personal Information Act
If things were working as they should be in South Africa from a legal perspective, Nedbank would most probably be facing some penalties and legal consequences relating to this data breach irrespective of the fact that it was its supplier, Computer Facilities, that experienced the data breach.
If South Africa's Protection of Personal Information Act (POPIA) was being enforced and was being fully implemented, as Lucien Pierce (Head of Telecommunications, Media and Technology at Phukubje Pierce Masithela Attorneys) puts it, matters would be a little bit more serious for the South African bank.
"As much as the press release appears to direct blame at the service provider (and it certainly appears that the service provider was at fault), the reality is that if POPIA was in force, Nedbank would have almost no escape from civil liability for any damages its clients suffer. POPIA makes someone like Nedbank strictly liable even though the breach may have been caused by its service provider. There are only four defences that Nedbank could raise: that the breach was caused by an act of God; its customers consented to the breach; its customers caused the breach; it was not reasonably practical to avoid the breach; or the Information Regulator had granted it permission to allow the breach. It’s not likely that Nedbank can use any of these defences so, if POPIA was fully effective, the only question would be how much Nedbank would pay in damages, not if it would have to," writes Pierce.
Unfortunately, despite promises over the years, the Information Regulator (South Africa) is still not at full capacity to enforce POPIA. As such, companies like Nedbank and many others that have experienced data breaches affecting South African citizens can continue business as usual without any conquences and issuing press releases and statements that mean very little for their customers.
"We take the protection of our clients’ data seriously and regret any concerns that this has caused. In the unlikely event this would be the case, if it is confirmed that fraud was perpetrated as a direct result of personal information obtained from you through this incident you will be compensated. We will continue to keep our clients updated as new information becomes available," concludes the statement by Nedbank.Share this via: