A) If I have been compromised, what does this mean for me?
It means that some of your personal information has been fraudulently obtained. This information includes your ID number, residential and physical address and contact details.
If you have received an SMS or email from us this means we have identified that your data has been compromised.
Fraudsters can potentially use this information to impersonate you (or your company) and commit fraud in your name i.e. by fraudulently applying for banking facilities or to enter into fraudulent agreements on your behalf.
Further information is available on Experian’s website. https://www.experian.co.za/ and you can contact them on
[email protected]
B) What data of mine has been compromised?
For personal customers, the affected data is the ID number, name, surname, email, current and previous contact numbers, cell phone, home telephone and work telephone (most recent 3 records), current and previous employer and occupation, current and previous addresses (most recent 3 records).
For business customers, the affected data is email, VAT number, company name and registration details, company directors, postal and physical address and turnover.
For personal customers no banking credentials were compromised such as pins, passwords or account information.
C) When did the data breach take place?
Experian notified the banking industry on the 5 August 2020 and we have since been working closely with Experian, the Banking Association of South Africa (BASA) and the South African Banking Risk Information Centre (SABRIC) as well as our industry peers to give this investigation the support and urgency it deserves.
The bank took the decision that informing the media of the data breach prior to the completion of the legal process being followed by Experian, would jeopardise their legal process, which would have a negative impact on Experian’s ability to identify the wrongdoer and mitigate the spread of the information, which ultimately would not be in the interests of the affected clients. In the interim, the bank took immediate steps to proactively enhance our authentication processes and our fraud prevention and detection strategies to protect our clients. As our measures are security sensitive, we are unfortunately not able to divulge more details.
D) Who provided the data to the fraudster?
The consumer personal information provided by Experian to the suspected fraudster and was not provided by Standard Bank. However, the safety and security of customer information remains an absolute top priority for Standard Bank and it is for this reason that we have taken the position to not rely on Experian leading the communication. We have chosen to inform our customers directly, to ensure that adequate steps can be implemented. As Standard Bank, we have also proactively stepped up our authentication processes and our fraud prevention and detection strategies to protect our clients.
E) What can I do to ensure that my banking details are secure?
Change all banking passwords and username (email address) on internet banking or the mobile App using self-service channels (such as Internet Banking or ATMs) and social media passwords
Register for MyUpdates (free Standard bank SMS service) to be notified of all transactions over R100 on your accounts
Personal customers can register for DigiMe on our banking app for enhanced protection
Contact the bank immediately if you suspect your bank accounts or cards have been compromised
Do not share your personal details, banking details or one-time pin with anyone including bank officials
Register with SAFPS for protective registration for free - if anyone tries to apply for banking products with your ID, it will be declined or referred for further review. To do this go to https://www.safps.org.za/Home/OurServices_ApplyProtectiveRegistration - please do so via Google Chrome. This registration is for a lifetime.
Register for the Experian 6-month free profile monitoring with alerts for customers whose details have been compromised, refer to the Experian website (https://www.experian.co.za/)
When making payments to unknown beneficiaries, utilise the Account Verification Services (AVS) which validate account numbers are the correct recipients for the funds.
Always phone to confirm payment details if the payment details have been sent via email
F) Have immediate security measures been put in place to ensure increased protection against this specific vulnerability?
We have proactively stepped up our authentication processes and our fraud prevention and detection strategies. Unfortunately, we cannot give further detail as this could reduce the effectiveness of these measures.
G) Why/How does Experian (a Third party) have access to my data?
Banks must submit and obtain data from the credit bureaus. This is stipulated in National Credit Act Regulation where it requires a credit provider to check a consumer’s debt agreement history – refer to https://www.gov.za/documents/national-credit-act
H) In accordance with POPI, is there a way that I can insist that Experian cannot sell/provide my data to external parties other than for the purposes of credit reference checks?
The National Credit Act of 2005 (“NCA”) and Protection of Personal Information Act of 2013 (POPIA) applies to the processing of personal information. The legislation providing the more extensive protection to personal information will apply to the processing of such information.
Experian is a registered Credit Bureau in terms of the NCA and this means that credit information as defined in the NCA, may only be used for a prescribed purposes. Using credit information for purposes not specifically set out in the NCA or the Regulations (Other Purposes) will require consent or must be justified in terms of other regulatory requirements.
Experian is considered a responsible party in terms of the POPIA in their own right and we recommend you engage Experian to understand their processing activities and how they process your personal information. You as a data subject have various rights listed in section 5 POPIA and we draw your attention to some of these rights which you can exercise :
Right to establish whether Experian holds any personal information relating to you and to request access to such information;
Right to request, where necessary, the correct, deletion or destruction of your personal information;
Right to object, on reasonable grounds to the processing of your personal information or a particular processing activity;
I) Why is the bank sharing my information without my consent?
We do obtain consent from our clients to share data with bureaus. It is in all of Standard Bank’s credit agreements with clients. Legally we are required to get consent.
Banks must submit and obtain data from the credit bureaus. This is stipulated in National Credit Act Regulation where it requires a credit provider to check a consumer’s debt agreement history – refer to https://www.gov.za/documents/national-credit-act
Experian is a credit reporting partner to the financial services industry in South Africa. As standard industry practice, external credit bureaus partner with all types of commercial institutions and credit issuers, including banks, to help them make credit and loan decisions. Credit bureaus receive information from all creditors, as well as information from public records, such as property or court records.
J) Who else has access to my data that I have provided to you?
We cannot reliably comment on this as the breach happened at Experian however the safety and security our customer information remains our top priority. We would like to reassure you that we are treating this incident with the utmost priority and attention.
K) What steps has the bank taken to prevent a repeat of this?
The safety and security our client information remain our top priority. We would like to reassure you that we are treating this incident with the utmost priority and attention. We have proactively stepped up our authentication processes and our fraud prevention and detection strategies. Unfortunately, we cannot give further detail as this could reduce the effectiveness of these measures.
From a Standard Bank perspective, you might be subjected to additional security checks and processes just to ensure that the information obtained cannot be utilised to compromise internal Standard Bank processes. We also urge you to be extremely diligent and alert all relevant employees to this compromise to ensure that you can pro-actively identify any attempts to utilise the information
L) How does the bank ensure that its third-party service providers protect my information?
Section 70 of the NCA (National Credit Act) requires that credit bureaus must register with the NCR (National Credit Regulator) and must adhere to a number of requirements which includes the safeguarding of credit bureau information - refer to https://www.gov.za/documents/national-credit-act.
In addition, POPIA also requires that personal data is kept safe and secure – refer to https://popia.co.za/
In respect of third-party service providers, the Standard Bank Group has a comprehensive Third-Party Risk Management Framework which governs the management of relationships with third parties the Group engages with. Monitoring of third parties occur on an ongoing basis based on the risk associated with the Third Party.
M) How does the bank monitor its 3 rd party service providers’ compliance to laws and regulations?
In respect of third-party service providers, the Standard Bank Group has a comprehensive Third-Party Risk Management Framework which governs the management of relationships with third parties the Group engages with. Monitoring of third parties occur on an ongoing basis based on the risk associated with the Third Party.
N) What responsibility will the bank take if I am now a fraud victim due to my data being compromised?
The Bank’s responsibility, if any, will be determined on the facts of each case. As per the ordinary processes applicable to any fraud related claim from a client. In the context of this data breach, we believe that the claim would lie against Experian. Standard Bank remains available to you, as a valued customer, to assist with any further queries that you may have in regard to this incident.
O) Will Standard Bank continue doing business with Experian?
Regrettably we are unable to comment on a contractual relationship with a 3 rd party
... View more