Nedbank client records stolen in online heist

The nightmare is not over for the 32 million subscribers to Ashley Madison who had their private information including names, passwords, phone numbers and other private details dumped on the dark web by hackers in 2016. 

It appears that criminals have revived a “sextortion” scheme that targets these subscribers who used the dating website to cheat on their partners.

Victims are receiving emails threatening to expose their intimate secrets and emails to family and friends on social media and via email unless they pay a Bitcoin ransom.

US cybersecurity firm Vade Secure says it detected several hundred examples of this extortion scam in February 2020 alone. The scammers are primarily targeting users in the US, Australia and India. 

“Seeing that more than 32 million accounts were made public as a result of the Ashley Madison data breach, we expect to see many more in the coming weeks,” the company says.

The emails are personalised with information from the Ashley Madison data breach. The subject includes the target’s name and bank. The body includes everything from the user’s bank account number, telephone number, address and birthday. The email may also reference private content or communication between individuals on the site itself. 

The example below refers to past purchases for “male assistance products”.



“The more of your personal information that a cybercriminal has, the more power they have to manipulate you,” says John McLoughlin, CEO of cybersecurity company J2 Software. In this case, the targets are victims of “sextortion”, but criminals can just as easily use your information to win over your trust.

“Someone could phone pretending to be from one of your financial service providers and warn you that you have been the victim of a crime which they are working to solve. The individual will not ask for your personal details, but will have your details and ask you to confirm them. 

“This establishes trust. It is a small matter for them to ask you to authenticate something — perhaps using a one-time pin or similar. Because trust has been established, you unwittingly reveal that information or execute the step.”

Thus, although it’s a completely different case from the Ashley Madison breach and there is no direct overlap, Nedbank customers who have had their personal information compromised need to be extra vigilant, he says.

On Thursday 13 February Nedbank warned that a data breach had occurred at the premises of a third-party service provider, Computer Facilities Ltd. This is a direct marketing company that issues SMS and email marketing information on behalf of Nedbank and a number of other companies.

A subset of the potentially compromised data at Computer Facilities included personal information (names, ID numbers, telephone numbers, physical and/or email addresses) of some Nedbank clients.

The bank added that no Nedbank systems or client bank accounts were compromised or are directly at risk as a result of this data issue. In fact, the company concerned had no direct links to Nedbank systems, said Nedbank’s group chief information officer, Fred Swanepoel.

Nedbank identified the data security issue as part of its routine and ongoing monitoring procedures.

“Once we became aware of the issue, we engaged as a matter of urgency with the service provider and leading forensic experts to conduct an extensive investigation,” the bank said.

“We have moved swiftly to secure and destroy all Nedbank client information held by Computer Facilities from Nedbank Retail relating to about 1.1 million active clients.

“The matter is receiving our urgent attention,” added CE Mike Brown. “The safety and security of our clients’ information is a top priority.”

Nedbank has focused on securing all client data at the smaller company and is communicating directly with affected clients as well as the relevant regulators and authorities.

“We have seen a massive spike in third-party compromise,” says McLoughlin. “These are often smaller companies that do business with larger entities. They are a target because hackers use them as a stepping stone to the ultimate goal which is the bigger organisations and their customers.” 

The reason smaller companies are targeted, he says, is that they don’t have the same controls and measures in place as bigger companies. 

And while the big companies do audit their suppliers, they often rely on “a piece of paper”, in other words, a written reply to a risk assessment and questionnaire. “The question is, do they actually examine a supplier’s policies and understand how they control and monitor adherence to these policies?” he asks.

This is not to say that Nedbank was negligent. The fact that the bank itself picked up the hack suggests its monitoring systems are vigilant.

The problem is that because we live in an increasingly connected world this type of crime will only increase.

As a criminal, where would you invest your money — in the weapons, people and vehicles necessary to carry out cash-in-transit heists? Or in some smart hackers who can send out a million emails a day using targeted information they have bought or hacked? With that information even if you harvest the bank information from 1% of the emails it’s easy money. 

Even worse is that the information that was hacked in 2019 or even before that (ask the Ashley Madison clients), is still available for sale on the black market.

According to Vade Secure, there were more than 5,183 data breaches reported in the first nine months of 2019, a 33% increase from the previous year. In total, 7.9 billion records were exposed. Many of these records, including troves of usernames and passwords, were stolen through phishing campaigns and are for sale on the black market.

Those exposed records will give hackers everything they need to improve their email campaigns.

“There are more breaches, compromise and attacks than one imagines,” says McLoughlin.

“Be wary. Look around. Be vigilant. Take every question with a bigger pinch of salt. Ask yourself, is this legitimate, is this the normal way of communicating, question it. If you are concerned, use old technology — pick up the telephone and ask!” BM