Nedbank Hack due to Poor Security at 3rd Party Facility, says Researcher

398
Sourced from Credibly and LinkedIn.

New information concerning the Nedbank data breach have emerged detailing the lax security at the 3rd party facility where the hack originated, reports My Broadband.

Last month, IT News Africa covered the leak and the subsequent new information revealed by Nedbank’s CEO about the hack.

The Nedbank Data Breach

Computer Facilities, the 3rd party provider that issues SMS and email marketing in behalf of Nedbank, suffered a massive security breach in February that saw 1.7 million Nedbank clients vulnerable for having their personal and private data leaked online and used against them by cybercriminals.


This data included information like full names, ID numbers, telephone numbers and even email and physical addresses. However, as Nedbank on multiple occasions wanted to inform their clients, information regarding banking or client accounts remained protected.

The breach itself was discovered around the first few days of February, about a week before it was first reported to the public.

Details from CEO

CEO of Nedbank, Mike Brown, shared new details about the breach a week after it happened.

Saying “We have done everything in our power to contain the incident. We have been in the premises of the supplier, deleted all the Nedbank data and they shut off the Internet.”

He said that all the data Nedbank had ever sent Computer Facilities was considered compromised. The data was stored in common text files, which further aided the breach due to the relative ease these files can be accessed.

Finally, Brown had a warning for the clients of Nedbank – cybercriminals will try and earn your trust before asking you more information that they would use to steal from you.

“First, if this data ends up in the hands of cybercrooks, they will be in a position to send bogus emails or to make fraudulent phone calls that are much more believable than usual. The crooks won’t say ‘Dear Sir/Madam’, they’ll say ‘Dear Siyabonga’ or ‘Dear Sarah’. They’ll be able to send you a document that’s password protected with your ID number, just like some banks do. They’ll know where you live so they can find out your closest branch and thus add a personal touch when they contact you,” he says.

Further, Brown says that not only data from Nedbank was compromised since Computer Facilities’ systems contain data from other companies and users.

Failures in Security Procedures

My Broadband spoke with a security researcher that preferred to remain anonymous who provided information suggesting that the security at Computer Facilities was poor to begin with.

Email addresses for Facilities staff were exposed in the leaks, showing usernames and passwords – these passwords for staff emails were extremely weak. Some were simple dictionary words and others were words following a short series of digits, and although these passwords have no bearing on the password policies of the systems that were breached they do shine a light on the poorly educated staff in regards to proper cyber-security practices. Something that is quite common in South Africa.

The researcher also found many old security vulnerabilities on Computer Facilities’ web servers that had never been fixed or locked up. These vulnerabilities could have been used by criminals to crash the web server and gain information about their systems and how they work.

One particular vulnerability, namely CVE-2010-1256, allows attackers to gain admin access under certain conditions.

The researcher explained how the Nedbank hack was an excellent example of how cybercriminals think. Instead of attacking Nedbank’s highly protected systems for info, they merely have to attack a less-secure third party, and out trickles all the user information they need.

Computer Facilities’ MD Bongani Manyika said that it was not fair to label their security as “lax” or ask them to comment on the allegations from My Broadband’s anonymous source until they had an incident report.

The company says they are waiting for a full security report from Group IB that would cover all aspects of the breach, including remediation steps required.

Edited by Luis Monzon

Follow Luis Monzon on Twitter

Follow IT News Africa on Twitter