The SA Banking Risk Information Centre (Sabric) has confirmed that credit bureau Experian suffered a data attack which “has exposed some personal information of as many as 24 million South Africans”.
Nearly 800,000 business entities have also fallen pray to a “suspected fraudster”, Sabric said.
According to the risk centre, Experian confirmed the breach, which has been reported to law enforcement.
“Banks have been working with Experian and Sabric to identify which of their customers may have been exposed to the breach and to protect their personal information, even as the investigation unfolds,” Sabric said in a statement.
It added that the affected banks would speak to customers about how they may be affected by the breach and what is being done.
“The compromise of personal information can create opportunities for criminals to impersonate you, but does not guarantee access to your banking profile or accounts. However, criminals can use this information to trick you into disclosing your confidential banking details,” warned Sabric CEO Nischal Mewalall.
Sabric advised that if anyone suspects that their identity has been compromised, they should apply immediately for a free protective registration listing with the Southern African Fraud Prevention Service (SAFPS).
“This service alerts SAFPS members, which includes banks and credit providers, that your identity has been compromised and that additional care needs to be taken to confirm that they are transacting with the legitimate identity holder,” it said.
Consumers wanting to apply for a protective registration can contact SAFPS at firstname.lastname@example.org.
Standard Bank on Wednesday confirmed that some of its clients had been affected.
“We are working closely with Experian, Sabric, the Banking Association of South Africa (Basa) and the Southern African Fraud Prevention Service (SAFPS) to give this investigation the support and urgency it deserves,” it said in a statement.
First National Bank said on Wednesday night that it had been made aware of the breach and was working “to mitigate any potential risks on our customers as a result of the incident”.
“The bank is communicating directly to customers who may have been impacted from a banking perspective. The protection of our customers’ banking information is our utmost priority,” it said in a statement.
African Bank said in a statement that the breach meant that some customers’ personal information – “including the likes of identity numbers [and] cell numbers” – had been compromised.
“The compromise of personal information can create opportunities for criminals to impersonate an individual but does not provide access to a customers’ banking account or details,” the bank said.
The bank’s chief risk officer, Piet Swanepoel, said: “This breach of personal information does impact our credit customers because we have to, by law disclose all details of customers who have credit with us to three credit bureaus, one of which is the Experian credit bureau. Of importance is that our customer’s banking credentials have not been breached, so fraudsters will not be able to access any of our customers’ banking details.”