By Vernon Pillay for IOL
Debt-IN, a debt recovery solutions partner to many South African financial services institutions, including African Bank, has announced that a ransomware attack by cybercriminals has resulted in a significant data breach of consumer and employee personal information.
It is suspected that consumer and personal information of more than 1.4 million South Africans were illegally accessed from Debt-IN servers in April this year.
It should be noted that this breach only came to light last week with the discovery that confidential consumer data and voice recordings of calls between Debt-IN debt recovery agents and financial services customers had been posted on hidden internet sites that are only accessible by a specialised web browser.
According to Debt-IN, the company is working closely with the regulator, law enforcement agencies and other cyber-security partners to rapidly gather facts, resolve the issue and provide ongoing information to clients.
Earlier on Wednesday, African Bank confirmed that one of its appointed professional debt recovery partners, Debt-IN, was targeted by cybercriminals in April 2021.
According to a statement by the bank, Debt-IN is now aware that the personal data of certain customers, including a number of African Bank Loan customers under debt review, has been compromised.
African bank said that Debt-IN is confident that no data shared post-April 1, 2021, has been compromised.
“A robust mitigation plan has been implemented by Debt-IN to contain and reduce any further adverse impact,” the bank said on Wednesday.
“We have been collaborating with Debt-IN to address this breach. We have notified the relevant regulatory authorities, and we are also in the process of alerting customers who have been affected via email and SMS.”
African Bank customers can call 0861 111 011 if they suspect any fraudulent activity on their accounts.
According to the debt recovery firm: “While the investigations are ongoing and the analysis subject to change, the findings to date show there has been no further breach and enhanced data protection measures remain securely in place.”
“The company has taken immediate and appropriate actions to reinforce existing security measures and to mitigate any further potential impacts of the breach, including assembling a team of highly regarded and globally experienced cyber breach and forensic experts to work with Debt-IN on the incident.”
“Debt-IN deeply regrets this cyberattack, and we apologise unreservedly for the inconvenience and anxiety this the data breach has caused our clients, and their customers,” says Mark Essey, CEO.
“We are taking this matter very seriously. In this age of highly sophisticated information security threats and an estimated 17 billion cyberattacks around the world every day, Debt-IN is committed to doing all it can to protect clients’ information.