A South African bank has confirmed that an employee had sold the data of more than 200,000 of its clients to a number of third parties, signaling the importance of an information security management system.
The bank in question, Absa, confirmed earlier last week that one of its employees was found to have sold sensitive personal and financial data of 200,000 clients to a third party.
Absa says that the employee was a member of its credit analysis team, and had access to sensitive parts of its system including the risk-modelling system, which was connected to the firm’s database. The bank employee abused his privileged access and sold data of clients to third parties for their personal profit.
The South African bank discovered the data leak on October 27th, but the bank waited a month before it revealed the scope of the data breach to the public. Absa said that this decision was made to make sure that ‘court processes’ were not but into question.
Absa’s Chief Security Officer, Sandro Bucchianeri has told South African media outlet ENCA that the data leak was limited to 2% of its customer base, however, this still represents 200,000 customers that have potentially had their personal details compromised.
Bucchianeri said the employee was someone that the organisation “trusted” and “had access to the information as part of their day job.” That bank employee harvested personal information like identification numbers, addresses, contact details and vehicle information that the employee sold.
Researchers warn that organisations should be wary of who they give access to critical systems, otherwise risking a repeat of this bank employee that sold data of the bank’s clients.
“[The employee] leaked this information to an external platform and ultimately sold it on to a limited number of third parties, and that’s why we’re calling it a leak, because we’ve had no system compromise which typically relates to a breach.”
“It’s about 2% of our retail customer base in South Africa; roughly 200,000 customers that were affected by this leak,” Bucchianeri said. “What I can share is that this employee was one of our credit analysts who has access to risk modelling systems, and with that information, it was sold to third parties who would then potentially use that information to commit fraud.”
“In terms of what has happened to that employee, the employee has consequently been suspended – pending further investigation – and we have also raised broad criminal charges against this employee, and that’s going through the courts right now, and that’s currently where we stand.”
Bucchianeri apologised on behalf of the bank, stating that “we want to offer our apologies to our customers for this incident which goes completely against the culture of our organisation, and we hold the integrity of customer’s data with the utmost care.
Insider threats, like this bank employee that sold the data of clients to third parties for personal profit are becoming increasingly common in the 21st century.
According to a report from InfoSecurity Magazine, “the incident at Absa follows the August theft of personal details belonging to 24 million South Africans and nearly 800,000 businesses from Experian in what was one of South Africa’s largest-ever data breaches.”
“Information swiped in the breach included names, ID numbers, telephone numbers, addresses and email addresses… Customers of Absa, Capitec, Standard Bank, Nedbank, and First National Bank were affected by the incident.”