South Africa’s Postbank has suffered a major data breach, forcing the financial institution to replace 12 million bankcards after rogue employees stole its 36-digit master key.
Data breaches have become a day-to-day struggle for businesses and organizations across the world and, from time to time, the bad actors lurk within the organization itself. According to reports, in December 2018, the culprits covertly printed out the bank’s master key in plain text, stealing approximately $3.35 million from beneficiaries who receive social grants every month.
The Sunday Times, which obtained a forensic report completed in July 2019, provided a detailed description of the events. It appears that the master key was exposed in July 2018 during a data center move. It was compromised “after being stored in clear text on one laptop (at a minimum) and remains compromised to the present day,” the report said.
The attackers could have also accessed the bank’s systems, editing account balances, and resetting or filling up Postbank cards. By December 2019, bank officials registered around 25,000 fraudulent transactions in their system. Between 8 million and 10 million cardholders were affected and, besides stealing funds from their accounts, the bad actors could have also exfiltrated the personal information of an additional 1 million customers.
The cost of replacing the affected cards is $58.7 million, and bank officials have yet to confirm if grant beneficiaries who were affected by the fraudulent acts will be reimbursed for their loses. “It appears that the significance of magnitude of this card breach may have been comprehended by Postbank operations and IT senior management,” former chief risk officer Benjamin April said in a January report. The Sassa master key compromise is a significant failure for the Postbank and also for the national payment system.”
In September 2019, South Africa’s Reserve Bank provided an 18-month deadline for Postbank to replace the 12 million compromised cards. The bank also prohibited contactless offline transactions for cardholders within the same timeframe.