Postbank has suffered a catastrophic data breach on an old data center located in Pretoria, in South Africa. The incident involves stealing a 36-digit code master key, which could be potentially used by attackers to access the bank’s systems, read and edit account balances, change whatever information they want, and even reset or fill up Postbank cards. As a result of this breach, the bank needs to replace all cards now with new ones that will be created using a new key. The number of affected cards is about 12 million, and the cost for replacing them is estimated at $58.7 million.
The actors were Postbank employees who secretly printed out the encryption master key in plaintext form in December 2018. The bank figured that something is off three months after the incident, and by December 2019, it had recorded approximately 25,000 fraudulent transactions in its systems. The rogue employees were stealing money from social grant cards belonging to beneficiaries, with the damage totaling $3.25 million. The number of clients who may have been affected by this is between eight and ten million people. Because the actors could have accessed all the details about the cardholders, this was not just a money-stealing incident but also a large-scale data breach.
Postbank is a subsidiary of the South African Post Office, a state-owned company that enjoys a monopoly in letter post and parcel services. Thus, it holds a powerful position in the national market, and Postbank, by extension, is considered a trusty financial services provider in the country. This incident, however, is highlighting severe security holes, reliance in obsolete systems, poor internal process auditing, negligence in transaction confirmation, and massively delayed response to large-scale fraudulent activities.
If you are a holder of a Postbank card, you should be waiting for a replacement card. Also, don’t forget that your sensitive personal data may have been accessed or even exfiltrated, so you should beware of identity theft risks and take action to mitigate them. The bank hasn’t clarified if the grant beneficiaries who have had their money stolen will get it back, but reporting any activities that you don’t recognize as soon as possible remains your best bet right now.