Nedbank says 1.7 million customers impacted by breach at third-party provider

Hacker(s) believed to have exploited a vulnerability to breach Nedbank's marketing contractor.
Written by Catalin Cimpanu, Contributor
Image: Nedbank

Nedbank, one of the biggest banks in the South Africa region, has disclosed a security incident yesterday that impacted the personal details of 1.7 million users.

The bank says the breach occurred at Computer Facilities (Pty) Ltd, a South African company the bank was using to send out marketing and promotional campaigns.

In a security notice posted on its website, Nedbank said there was a vulnerability in the third-party provider's systems that allowed an attacker to infiltrate its systems.

The data of 1.7 million past and current customers is believed to have been affected. Details stored on the contractor's systems included things like names, ID numbers, home addresses, phone numbers, and email addresses.

The bank began notifying customers about the breach yesterday, via SMS. A copy of one of these texts is below, courtesy of one of our readers.

Image provided by ZDNet reader

The South African-based bank said it learned about the breach while conducting routine and ongoing monitoring processes of its partner's systems, and discovered a vulnerability in the contractor's network.

Since the incident, Nedbank says the contractor's network has been taken offline to prevent any further attacks, and the bank has intervened and destroyed any customer data from the contractor's systems.

Nedbank said that none of its own systems have been affected by this incident, and the breach was limited only to its contractor's network. The contractor appears to have had a copy of the bank's customer data, but no direct access to the bank's systems.

Bank officials apologized for the breach and said they are working with law enforcement authorities to assist with catching the attackers.

Nedbank is one of the biggest banks in Africa. It primarily operates in South Africa, but also in Angola, Kenya, Lesotho, Malawi, Mozambique, Namibia, Swaziland, and Zimbabwe.

Editorial standards