Bank Employee Sells Personal Data of 200,000 Clients

South Africa–based financial services group Absa has stated that one of its employees sold the personal information of 200,000 clients to third parties.

The group confirmed on Wednesday that the illegal activity had occurred and that 2% of Absa's retail customer base had been impacted. 

The employee allegedly responsible for it was a credit analyst who had access to the group's risk-modeling processes. 

Data exposed as a result of the security incident included clients' ID numbers, addresses, contact details, and descriptions of vehicles that they had purchased on finance. 

Financial details including PIN codes and passwords were not compromised by the data theft.

In an interview with ENCA, Absa group chief security officer Sandro Bucchianeri said that the employee believed to be behind the data theft was someone whom “we trusted" and who "had access to the information as part of their day job.”  

The analyst, who Bucchianeri said is now facing "broad criminal charges," has been suspended while the matter is investigated further. 

Bucchianeri added that the parties who allegedly purchased the data from the analyst may use it to "try to commit fraud on these accounts."

The data breach was discovered on October 27; however, Absa waited a month before revealing that client information had been compromised. Bucchianeri said that the delay was a deliberate move to ensure that "court processes" were not jeopardized.

After discovering that a breach had occurred, Absa obtained court orders for search and seizure operations to be carried out at “various premises.” 

The bank told Business Insider South Africa that all devices containing the stolen customer data had been found and wiped clean of the information. 

The incident at Absa follows the August theft of personal details belonging to 24 million South Africans and nearly 800,000 businesses from Experian in what was one of South Africa's largest ever data breaches. Information swiped in the breach included names, ID numbers, telephone numbers, addresses, and email addresses.

Customers of Absa, Capitec, Standard Bank, Nedbank, and First National Bank were affected by the incident.

What’s Hot on Infosecurity Magazine?