15 April 2021
Absa notified a limited number of customers in South Africa in November 2020 that some of their data had been exposed to third parties. We stated at the time that investigations continue to assess the full scope of the incident.
The exposure had resulted from an employee selling data to a small number of external parties. This was a serious breach of Absa’s data privacy policy and an unlawful act. The employee was dismissed and faces criminal charges as we have zero tolerance for offences of this nature.
Ongoing investigations into the leak revealed that selected data relating to an additional number of customers in South Africa had been exposed to the third parties.
We are currently notifying additionally-affected customers via email, letters and/or SMS.
Important customer information:
- Pins and passwords were not exposed in the leak and therefore no third parties have direct access to customer accounts as a result of the exposure.
- The types of data that have been shared include, for example, names, surnames, contact numbers, ID numbers and vehicle details.
- Customers who receive notifications need not take any action as Absa has placed heightened monitoring on accounts as a precautionary measure.
- Customers who have not received notifications need not take any action; we will notify customers directly if they are affected by the leak.
- Criminals often use customer information at their disposal to contact you under false pretenses, purporting to be from legitimate organisations or a bank. They may try to contact you via phone, text message or email, impersonating Absa or another reputable institution. Customers must always be vigilant and must not share their online PIN, online password, card PIN, card CVV number, OTP and/or approval messages.
- Customers can contact our fraud hotline at 0860 557 557 or visit one of our branches.
Absa is dealing with the matter decisively:
- The employee who leaked customer data was dismissed and faces criminal charges.
- Absa obtained court orders enabling search and seizure operations to uncover data in the possession of external parties who unlawfully acquired the data.
- Data found in possession of external parties was analysed, subject to independent forensic review, and deleted/removed from external parties devices/premises.
- A criminal case was reported to the SAPS and all implicated parties will be investigated by the SAPS.
- We are collaborating with the South African Banking Risk Information Centre (SABRIC) to ensure that investigations are comprehensive.
- Absa commissioned an independent review of all our controls and processes associated with data protection.
We greatly regret the incident, which we view as the unconscionable actions of an individual, and which are not reflective of Absa’s culture.