Nedbank warns clients of potential impact of data incident at Computer
Facilities (Pty) Ltd
No Nedbank systems or client accounts impacted
Clients need not take any further action other than continue to be vigilant
Nedbank has investigated a data security issue that occurred at the premises of a third-party service provider, namely Computer Facilities (Pty) Ltd - a direct marketing company that issues SMS and email marketing information on behalf of Nedbank and a number of other companies. A subset of the potentially compromised data at Computer Facilities included personal information (names, ID numbers, telephone numbers, physical and/or email addresses) of some Nedbank clients.
No Nedbank systems or client bank accounts have been compromised in any manner whatsoever or are at risk as a result of this data issue at Computer Facilities (Pty) Ltd.
Nedbank identified the data security issue at Computer Facilities (Pty) Ltd as part of our routine and ongoing monitoring procedures.
Once we became aware of the issue, we engaged as a matter of urgency with the service provider and leading forensic experts to conduct an extensive investigation.
We have moved swiftly to proactively secure and destroy all Nedbank client information held by Computer Facilities (Pty) Ltd. Information from Nedbank Retail relating to approximately 1,7 million clients was potentially affected of which 1,1 million are active clients.
This incident is isolated to the third-party service provider's systems. As a further precautionary measure, Computer Facilities (Pty) Ltd's systems have been disconnected from the internet until further notice.
"We regret the incident that occurred at the third-party service provider, namely Computer Facilities (Pty) Ltd and the matter is receiving our urgent attention. The safety and security of our clients' information is a top priority. We take our responsibility to protect our client information seriously and our immediate focus has been on securing all Nedbank client data at Computer Facilities (Pty) Ltd, which we have done. In addition to this, we are communicating directly with affected clients. We are also taking the necessary actions in close cooperation with the relevant regulators and authorities," Nedbank CEO Mike Brown says.
Nedbank Group Chief Information Officer Fred Swanepoel says: "The third-party service provider namely, Computer Facilities (Pty) Ltd did not have any links to our systems. Our team of IT specialists and external cyber security experts have been working continuously with them since we became aware of this matter. Clients’ bank accounts have not been compromised in any manner whatsoever and clients have not suffered any financial loss. Nedbank remains vigilant in its efforts to contain cyber-crime."
We have advised Computer Facilities (Pty) Ltd of their obligation to notify any of their other customers potentially impacted by the incident.
Clients' bank accounts are not at risk and they do not need to take any further action other than continuing to be vigilant against attempts at fraud.
For any questions or concerns, please contact our call centre: 0860 775 775 or email: DataProtection@Nedbank.co.za.
When did you know about the incident?
We became aware of the incident late last week when our routine and ongoing monitoring processes indicated a potential vulnerability of the third party's system. We immediately started an investigation and as soon as we had verified our information, we started engaging with the third party to secure all Nedbank client data.
Why were we not advised earlier?
Upon learning of the incident, we took immediate action by proactively securing and destroying all client information at the third-party service provider. We immediately started an investigation and as soon as we had verified the data, we have started communicating to our affected clients.
Our priority is the security of our clients, their information and our systems.
Has my account been compromised?
Client's bank accounts have not been compromised in any manner whatsoever as a result of this incident. For your account to have been compromised, any fraudster would need additional information that was not present or not available from the data vulnerability.
For example - if it were on digital channels, they would need a one-time pin and they would need your actual device. If it was at a branch, we would look for additional verification such as fingerprint confirmation with the department of home affairs.
What kind of information did the third-party supplier keep?
The third party is a direct marketing company that issues SMS and email marketing information on behalf of Nedbank and a number of other companies. The information used in the process includes personal information such as ID numbers, names and/or addresses. The third party does not have access to Nedbank’s systems.
We have proactively secured and destroyed all client data at the third party and ceased any further transfer of data to the third-party service provider, whose systems are now disconnected from the internet.
How did this happen? How did the breach occur?
Our forensics and IT specialists supported by external experts are working closely with the third-party service provider and the authorities to fully understand how the third-party services provider was infiltrated. Nedbank uses the third-party service provider to distribute communication to certain clients on our behalf, such as email or text campaigns. We share some non-sensitive information to provide you with the best services.
None of Nedbank’s systems have been impacted. Upon discovering the vulnerability, Nedbank took immediate action. We have proactively secured and destroyed all client information at the service provider. None of our client bank accounts, nor any of Nedbank’s systems have been compromised in any manner whatsoever. This incident is isolated to the third-party service provider’s systems, which are currently disconnected from the internet.
Why have you shared my personal information with this third party? Is this so that they can market more services to me?
It is common for companies like ourselves to use a third-party service provider to distribute communication on our behalf. We share some non-sensitive information to provide you with the best services. We understand the value our clients place on data security and regret this situation.
Is it legal for you to share my personal information with this third party?
Yes, the third party was acting on behalf of Nedbank to communicate with our clients. We share some non-sensitive information to provide you with the best services.
How do I know if my personal information is part of the data that was compromised?
If you have not received communication from Nedbank to this effect (within three working days), you can be assured that your information was not compromised. Direct further queries to mailbox: DataProtection@Nedbank.co.za or 0860 775 775
Clients that have received communication from Nedbank advising of the compromise are to direct queries in accordance with the communication received.
What data has been compromised?
We share some non-sensitive information to provide you with the best services. Personal information of Nedbank clients was compromised. Names, ID numbers, physical addresses, phone numbers and/or email addresses were at risk.
What do I do now?
Remain vigilant as per usual and notify us, via mailbox: DataProtection@Nedbank.co.za or 0860 775 775, of any suspected unauthorised use of your personal information.
Also be wary of any emails or calls asking for more information to help deal with the data security incident: fraudsters often pose as police or banks.
As an extra precaution, you have the option to list your details on the South African Fraud Prevention Services database which provides additional protection against identity theft. For more details visit www.safps.org.za.
What is SAFPS?
It is a bureau that has a database that lists fraudsters (who have committed fraud) and individuals can register if they have been victims of identity theft. It offers free identity protection service to members of the public. Individuals need to apply via the website or call centre.
Should I cancel my bank cards linked to my account?
No, not at all. No account or card details have been compromised and as a result there is no need for clients to cancel their bank cards.
All information We have on our banking systems is fully protected.
Will I be compensated if this breach leads to identity theft or some other issue for me?
We take the protection of our clients’ data seriously and regret any concerns that this has caused. In the unlikely event this would be the case, if it is confirmed that fraud was perpetrated as a direct result of personal information obtained from you through this incident you will be compensated.
We will continue to keep our clients updated as new information becomes available.
Can the perpetrators be caught?
We are working with the authorities to assist with this.
Can we contact Computer Facilities (Pty) Ltd directly?
They are an independent company so we cannot comment on their behalf, we can only comment on what Nedbank is doing to protect you.
After Nedbank’s actions is my data now secure?
With regards to the data incident at Computer Facilities (Pty) Ltd. - yes. You do not need to take any further action other than continuing to be vigilant against attempts at fraud.