Cyber Incident Victim: Nedbank
Date:
Feb 2020
Location:
South Africa
Summary
A major South African bank experienced a data breach affecting 1.7 million current and former customers due to a security vulnerability at a third-party marketing contractor, Computer Facilities (Pty) Ltd. The compromised personal information included names, national identification numbers, physical addresses, phone numbers, and email addresses. The bank detected the incident through routine monitoring of its partner's systems, after which the contractor's network was isolated to prevent further unauthorized access and all customer data stored there was destroyed. No internal banking systems were compromised during the incident. Affected individuals received SMS notifications, and the institution collaborated with law enforcement while apologizing for the security lapse.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 13, 2020, Nedbank disclosed a security incident affecting approximately 1.7 million current and former customers. The breach originated at Computer Facilities (Pty) Ltd, a South African third-party contractor responsible for managing the bank’s marketing and promotional communications. Attackers exploited a vulnerability within the contractor’s systems, gaining unauthorized access to customer data stored on those networks. Compromised information included full names, government-issued identification numbers, physical home addresses, telephone numbers, and email addresses. Nedbank confirmed the breach did not involve direct infiltration of its own internal systems, as the contractor maintained only a copy of customer data for marketing purposes rather than live access to bank infrastructure. The bank detected the intrusion through routine monitoring procedures applied to its external partners, identifying the vulnerability during these ongoing assessments.
Following discovery, Nedbank immediately intervened to contain the incident. The contractor’s compromised network was taken offline to prevent further unauthorized access, and the bank ensured the destruction of all remaining customer data held by Computer Facilities. Nedbank initiated customer notifications via SMS on February 13, informing affected individuals of the breach without specifying technical details of the vulnerability or attacker methodology. The bank emphasized collaboration with law enforcement agencies to investigate the incident and pursue the perpetrators. No financial data, account credentials, or transactional systems were exposed, as the breach remained isolated to the marketing contractor’s repository of demographic information. Nedbank issued a public apology for the incident but reiterated that operational banking services and customer assets remained secure throughout the event. The breach highlighted risks associated with third-party data handling, particularly for a financial institution operating across nine African nations including South Africa, Namibia, and Mozambique.