Photo: Elvira Wood
  • Absa has confirmed that one of its credit analysts sold the personal information of 200,000 clients to third parties.
  • The person had access to the group’s risk modelling processes.
  • Clients’ identity numbers, a description of their financed vehicles, addresses and contact details were sold – but passwords and PIN codes were not included.
  • For more articles, go to www.BusinessInsider.co.za.

An Absa credit analyst sold the personal information of some 200,000 Absa customers to third parties, the bank confirmed on Wednesday.

In an interview with ENCA, Absa group chief security officer Sandro Bucchianeri, gave more information about the culprit and the data leak.

Bucchianeri said the bank’s investigation found that a credit analyst who “we trusted, had access to their information as part of their day job”.  

A bank credit analyst examines the risk factors that may influence loan applications. The credit analyst also had access to the group’s risk modelling processes, the bank confirmed – which may imply some level of seniority.

The employee sold the information to third parties “who could potentially [use the information] to commit fraud”.

The person has been suspended pending further investigation, now faces “broad criminal charges” and will end up in court, Bucchianeri told ENCA.

He added that the analyst sold 2% of the bank’s retail customer base – an estimated 200,00 people - to third parties. These parties may include marketing groups, who may “try to commit fraud on these accounts”.

Clients’ identity numbers, description of their financed vehicles, addresses and contact details were sold – but passwords and PIN codes were not included, Bucchianeri confirmed.

Absa first found out about the leak on 27 October, and immediately alerted the Information Regulator, Bucchianeri told ENCA, The Information Regulator enforces the Protection of Personal Information Act (POPIA) in SA.

But Absa only confirmed the leak to the public more than a month later as it didn’t want to jeopardise “court processes”.

Following the discovery, Absa obtained court orders for search and seizure operations at “various premises”. All devices containing the data have been found, the bank said. The data on these devices was subsequently destroyed.

In August, the personal details of some 24 million South Africans, and nearly 800,000 businesses, were stolen by a suspected fraudster, in one of the South Africa's largest ever data breaches.

The information was allegedly stolen from the credit bureau Experian, which collects credit information about consumers from banks, retailers, and other parties. According to Experian, the information was handed over to the fraudster after that individual posed as a legitimate client.

Receive a daily news update on your cellphone. Or get the best of our site emailed to you

Go to the Business Insider front page for more stories.