The consumer and personal information of more than 1.4 million South Africans has appeared on the dark web, according to debt recovery firm Debt-IN Consultants.
The firm says that it suspects it was breached in April 2021, but only noticed it had been breached when “confidential consumer data and voice recordings of calls between Debt-IN debt recovery agents and financial services customers” was discovered on the dark web on 14th September.
The firm took a few days to authenticate the validity of the data following its discovery by an unnamed partner. The first authentication was done on 17th September.
“We are taking this matter very seriously. In this age of highly sophisticated information security threats and an estimated 17 billion cyber attacks around the world every day, Debt-IN is committed to doing all it can to protect clients’ information. We reiterate that we view this attack as the act of malicious cybercriminals. From the time this data breach was detected, our guiding principle has been to put our clients first, and we will continue to do so,” Debt-IN chief executive officer Mark Essey wrote in a statement.
Unfortunately the information leaked is not restricted to Debt-IN clients as Standard Bank has said some of its clients may be impacted by this breach as well.
“Regrettably, the incident resulted in some of our clients’ information being obtained fraudulently. Your details may have been compromised. The information compromised includes clients’ account numbers, names, surnames, employer details, physical address, e-mail addresses, telephone numbers, debt amounts and balances and banking details,” Standard Bank said in an email to clients.
According to Debt-IN the following data was taken:
- Customer name
- Customer surname
- Customer contact details (email, mobile and landline)
- Customer ID numbers
- Customer account numbers
- Customer transactional data (balance owed, payment dates, payment amounts)
- Customer employer information (salary date, employer name, employer address).
Unfortunately, Africa Bank clients also appear to be affected by this breach according to a report from MyBroadband.
Debt-IN said that it is working with the regulator, law enforcement and its cybersecurity partners to investigate and resolve the issue. Concerned customers are asked to email compliance[at]debtin[dot]co[dot]za or call 0800 079 661.
This is incredibly bad for Debt-IN especially seeing as it took over six months for this breach to be detected and given that the only reason it was detected is because confidential data was discovered on the dark web.
We’re curious to see what the Information Regulator has to say about this matter although the Department of Justice and Constitutional Development is still dealing with its own cybersecurity woes.