Nedbank Reports a Data Breach That Could Have Affected 1.7 Million Clients
In early February, IT experts working for Nedbank, one of South Africa's 'big four' commercial banks, learned that some of their customers might have been affected by a data breach. Within a week, they had thoroughly investigated the incident, and Mike Brown, Nedbank's CEO, agreed to discuss the attack in an interview with CNBC Africa. At one point, he said that Nedbank customers 'don't need to do anything differently.' But what prompted him to say that? And is that such good advice?
A breach at a direct marketing company affects 1.7 million Nedbank customers
One of the first things Nedbank clients must know is that there's nothing to suggest that their bank's IT security has been compromised. The breach happened at a third-party service provider called Computer Facilities Ltd., which Nedbank had hired for the purpose of contacting customers via email and SMS. Technical details around the nature of the attack are practically non-existent, but we did learn that at one point, hackers gained access to some servers that belonged to Computer Facilities and held the personal information of Nedbank users. According to MyBroadband.co.za, the ID numbers, telephone numbers, and physical and email addresses of 1.7 million Nedbank customers were put at risk.
By the looks of things, neither Nedbank nor Computer Facilities know whether any of that data was actually stolen, but out of an abundance of caution, the bank is treating it as compromised. Potentially affected accounts have been included in a fraud database, and Nedbank employees will keep a closer eye on them to ensure that any suspicious activity is dealt with quickly and efficiently.
In his interview, Nedbank's CEO was adamant that bank account numbers, passwords, or PINs were not affected by the breach. That's why he appears to think that Nedbank customers don't have to do anything out of the ordinary to protect themselves. There are one or two issues with this, though.
Nedbank customers mustn't underestimate the breach
The potentially compromised information from Computer Facilities isn't enough to let hackers steal Nedbank customers' bank accounts, and Mike Brown repeatedly said that as long as people don't give away sensitive information like PINs, passwords, and bank account numbers, their money should be safe. This much is true, but by saying that Nedbank clients don't have to do "anything differently," Brown assumes that in general, people are vigilant enough and can't be tricked into giving away their login credentials. The huge number of users who fall victim to social engineering attacks every day shows that this is not really the case.
Although it's been around for decades now, phishing continues to be one of the most effective ways of collecting login credentials. The more believable the emails, the greater the chance of success, and thanks to the breach at Computer Facilities, the messages Nedbank customers receive could be pretty convincing.
If they get their hands on the data, crooks can craft phishing emails that address the target by name, and they can make the messages look like they're coming from the bank. Meanwhile, the presence of phone numbers and physical addresses opens up the avenue for other scams.
In other words, thanks to the breach at Computer Facilities, Nedbank customers can fall prey to a wide range of attacks, some of which could be extremely sophisticated. In light of this, Mike Brown's decision to tell his clients to do everything they normally do probably wasn't such a good idea. Affected customers need to be aware of the potential dangers and should approach everyday tasks with a lot of extra caution.