South Africa’s major banking groups have responded to the major data breach at credit bureau Experian, where the personal details of as many as 24 million South Africans were exposed to a third party.
Experian, a consumer credit reporting company, said on Wednesday (19 August) that it experienced a breach of data which has exposed some personal information of as many as 24 million South Africans, and 793,749 business entities, to a suspected fraudster.
The breach has been reported to authorities, and South African banks have been working with Experian and South African Banking Risk Centre (Sabric) to identify which of their customers may have been exposed to the breach and to protect their personal information, even as the investigation unfolds.
“Our investigations indicate that an individual in South Africa, purporting to represent a legitimate client, fraudulently requested services from Experian,” the company said in a statement.
“The services involved the release of information which is provided in the ordinary course of business or which is publicly available.”
“We can confirm that no consumer credit or consumer financial information was obtained. Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes.”
Experian added that its investigations show that the suspect had intended to use the data to create marketing leads to offer insurance and credit-related services.
In response to the breach, banks have told their customers to take various security measures – such as changing passwords and registering with South Africa’s fraud prevention services.
Here are the specifics from each of the banks:
“Following notification by Experian of a data breach, in conjunction with Sabric and Experian, Absa has proactively taken risk-mitigation steps to protect our customers,” the group said.
“To this end, we have isolated, amongst others, impacted accounts to ensure that the matter is dealt with promptly and comprehensively. We are in control of the situation and are contacting impacted customers directly.
“We urge our customers to heighten their vigilance against any possible fraud – never share your banking credentials with a third party,” the bank said.
Further information and important guidelines are available on Absa’s website.
African Bank confirmed its clients were affected by the breach, meaning certain customers’ personal information, including the likes of identity numbers, mobile numbers etc, has been compromised.
“The compromise of personal information can create opportunities for criminals to impersonate an individual but does not provide access to a customers’ banking account or details,” it said.
“This breach of personal information does impact our credit customers because we have to, by law disclose all details of customers who have credit with us to three credit bureaus, one of which is the Experian credit bureau,” the bank said.
“Of importance is that our customer’s banking credentials have not been breached, so fraudsters will not be able to access any of our customers’ banking details.”
African Bank said it has enhanced its security measures to protect customers.
“Customers should however remain aware fraudsters can impersonate a bank and contact customers and pretend to be their bank since they may know their ID and their cell numbers,” it said.
It urged all banking customers to remain vigilant against possible fraud and to:
- Never disclose usernames, passwords, PINs or One Time Pins (OTPs) when asked to do so by anyone via telephone, fax, text messages or even email, no matter how believable they are. African Bank will NEVER ask this information of you
- Change your passwords regularly and never share them with anyone.
Customers are advised to monitor their accounts and always report suspicious behaviour, should they see any. Customers can call African Bank on 0861 111 011 should they need to alert the bank to any suspicious activity on their account.
FNB said it has been made aware that Experian has experienced a data breach. @We are working with all relevant authorities to mitigate any potential risks on our customers as a result. The protection of our customers’ banking information is our utmost priority,” FNB said.
“Customers are advised to be extra vigilant and follow our recommended security precautions, found on Security Centre on the FNB App and Online Banking.
“The Bank is communicating directly to customers who may have been impacted from a banking perspective,” it said.
FNB said customers can get more information or report fraud through its security page.
It recommends the following measures to keep safe:
- It is vitally important that you never give your Online Banking username and/or password to anyone.
- Never give your One Time PIN (OTP) to anyone.
- Never click on links in emails claiming to be from FNB (we never send links in our correspondence).
- Always type in www.fnb.co.za in your browser.
- Be cautious of company names with web-based email addresses, e.g., [email protected], @hotmail.com, @gmail.com, @ymail.com.
- Review your transactions regularly.
- Don’t expect to be selected as a winner if you haven’t participated in the lottery or other competitions.
- Never save your passwords to your browsers
Investec said it was aware of the data breach, and referred customers to the Sabric statement.
“We are taking measures to identify and protect affected clients,” it said.
Nedbank said it has been advised that Experian SA has shared personal information with a third party pretending to be a legitimate customer of Experian. The information shared includes names, ID numbers, telephone numbers, physical and/or email addresses, it said.
“Your bank accounts are not at risk. Personal information can create opportunities for criminals to impersonate you but does not guarantee access to your banking profile or accounts – unless you disclose confidential banking details to them,” the bank said.
“Clients from all banks, among other credit providers, are impacted by this data breach as it is a credit industry requirement for credit providers to share this information with credit bureau’s such as Experian SA.”
Tips on how to be safe:
- Never share your passwords or pins with anyone – ever.
- Never disclose your personal information to anyone who calls you, emails you, or SMSs you. Remember Nedbank will never contact you asking for this information.
- Contact Nedbank immediately should you suspect unauthorised use of your personal information at [email protected]
“The safety and security of your information is a top priority. We will continue to monitor suspicious activity on client accounts,” Nedbank said.
Standard Bank confirmed that it is aware that Experian South Africa is investigating an external credit bureau incident.
“We are working closely with Experian, Sabric, the Banking Association of South Africa (BASA) and the Southern African Fraud Prevention Service (SAFPS) to give this investigation the support and urgency it deserves.”
The bank said it has proactively stepped up its authentication processes and fraud prevention and detection strategies to protect clients.
“As our measures are security sensitive, we are unfortunately not able to divulge more details. We understand the anxiety that this will cause for our clients and wish to assure them that we are doing everything possible to protect them during this difficult time,” it said.
It advised clients to:
- Change banking passwords on our digital banking platforms and social media passwords
- For personal clients, register for DigiMe on the Standard Bank App
- Register for MyUpdates (free Standard bank SMS service) to be notified of all transactions over R100 on your accounts
- Contact the bank or your relationship manager immediately if you suspect your bank account(s) or card(s) have been compromised
- Do not share your personal details, banking details or one-time pin with anyone
- Register with SAFPS for protective registration – if anyone tries to apply for banking products with your ID, it will be declined or referred for further review.