Last week we covered the Nedbank client data hack in which 1.7 million Nedbank clients may have had their personal and private data leaked to the public. The leak emanated from a security breach at Computer Services, a third-party service provider that issues SMS and email marketing on behalf of the bank.
The breach had seen names, ID numbers, telephone numbers, and even email and physical addresses of Nedbank clients compromised. Once the bank became aware of the security issue after a routine monitoring procedure. New details have emerged that have confirmed that the data breach was first discovered two weeks ago, one week before the story of the leak had broken, amongst other things, via My Broadband.
New Details from Nedbank CEO:
Mike Brown, CEO of Nedbank, had the following details to share in an interview with CNBC Africa:
“We have done everything in our power to contain the incident. We have been on the premises of the supplier, deleted all the Nedbank data and they shut them off the Internet.”
Brown says that it is currently assumed that all the data Nedbank has sent to Computer Facilities over time is compromised. It is also notable that, while the data was sent in encrypted formats, it was stored in common text files.
He also made sure to highlight that none of Nedbank’s systems have been compromised, as previously reported, which means that no bank account numbers, PINs or passwords were leaked.
What this Security Breach Means to You:
While clients have already been warned via message, it is important to understand that names, ID numbers, telephone numbers, physical addresses, and email addresses can all be used by cybercriminals to launch social engineering attacks against banking clients.
This means that criminals can use the information to get other data from clients – namely bank account numbers, PINs or passwords by calling and pretending to be Nedbank. Cybercriminals may try to earn your trust by supplying you with your own information before asking you for more data to be used to steal from you, or worse.
Paul Ducklin, Principal Research Scientist at Sophos, an IT security company, says that what clients have to worry about now is a ‘double-whammy’ of phishing risks.
“First, if this data ends up in the hands of cybercrooks, they will be in a position to send bogus emails or to make fraudulent phone calls that are much more believable than usual. The crooks won’t say ‘Dear Sir/Madam’, they’ll say ‘Dear Siyabonga’ or ‘Dear Sarah’. They’ll be able to send you a document that’s password protected with your ID number, just like some banks do. They’ll know where you live so they can find out your closest branch and thus add a personal touch when they contact you,” he says.
Ducklin says that to protect themselves, clients should always find any respective contact details themselves. To never get it from others, no matter how certain you are about their trustworthiness.
“If you have a bank card, turn it over and look for contact details on the back – the crooks can’t change the phone number or website name on a card you’ve already got!”
Brown, likewise, urges clients to be vigilant and never give such sensitive information to people who phone them.
He advises that if any client feels concerned or notices suspicious activity to send the bank an email via firstname.lastname@example.org or call on 0860 777 5775. My Broadband, which tested the issued email address themselves said that while the bank responded quickly, “the consultant did not answer any of the questions asked. Instead, he simply reiterated the statement sent out by Nedbank previously.”
Edited by Luis Monzon
Follow Luis Monzon on Twitter
Follow IT News Africa on Twitter