[BreachExchange] South Africa’s PostBank is Replacing 12 Million Bank Cards After Major Security Breach

Destry Winant destry at riskbasedsecurity.com
Tue Jun 16 10:26:15 EDT 2020


South Africa’s Postbank has suffered a major data breach, forcing the
financial institution to replace 12 million bankcards after rogue
employees stole its 36-digit master key.

Data breaches have become a day-to-day struggle for businesses and
organizations across the world and, from time to time, the bad actors
lurk within the organization itself. According to reports, in December
2018, the culprits covertly printed out the bank’s master key in plain
text, stealing approximately $3.35 million from beneficiaries who
receive social grants every month.

The Sunday Times, which obtained a forensic report completed in July
2019, provided a detailed description of the events. It appears that
the master key was exposed in July 2018 during a data center move. It
was compromised “after being stored in clear text on one laptop (at a
minimum) and remains compromised to the present day,” the report said.

The attackers could have also accessed the bank’s systems, editing
account balances, and resetting or filling up Postbank cards. By
December 2019, bank officials registered around 25,000 fraudulent
transactions in their system. Between 8 million and 10 million
cardholders were affected and, besides stealing funds from their
accounts, the bad actors could have also exfiltrated the personal
information of an additional 1 million customers.

The cost of replacing the affected cards is $58.7 million, and bank
officials have yet to confirm if grant beneficiaries who were affected
by the fraudulent acts will be reimbursed for their loses. “It appears
that the significance of magnitude of this card breach may have been
comprehended by Postbank operations and IT senior management,” former
chief risk officer Benjamin April said in a January report. The Sassa
master key compromise is a significant failure for the Postbank and
also for the national payment system.”

In September 2019, South Africa’s Reserve Bank provided an 18-month
deadline for Postbank to replace the 12 million compromised cards. The
bank also prohibited contactless offline transactions for cardholders
within the same timeframe.

More information about the BreachExchange mailing list