<\/p>\n
A new bank, eNL Mutual (previously YWBN), took swift action to plug a data breach after an IT consultant contracted to GroundUp discovered it.<\/p>\n
eNL was granted a banking licence by the Reserve Bank in January 2024. It operates online; there are no branches. The bank\u2019s website explains that the \u201ce\u201d prefix denotes digital banking. NL are the initials of the bank\u2019s founder, Nthabeleng Likotsi. The bank markets itself as the country\u2019s \u201cfirst black-owned, women-led mutual bank\u201d.<\/p>\n
Last Thursday (16 April), we realised the bank was making confidential customer data available on a public URL: enlsystembo.co.za and the corresponding IP address 102.131.62.58. It is important to emphasise that no cracking (hacking), password-guessing or any unlawful or legally grey activities were needed or used to access enlsystembo.co.za. Any person with an internet connection and a browser could access this URL\u2019s file system and the data stored there.<\/p>\n
The data leaked included personal information (full names, SA ID numbers, addresses, emails, phone numbers), bank account details (account numbers, balances) and full transaction histories. It also included unencrypted card information, as well as database credentials, which could potentially be used by an attacker to manipulate financial data.<\/p>\n
We received legal advice that this was in breach of the Protection of Personal Information Act (Popia) and that the Information Regulator (IR) was responsible for dealing with this.<\/p>\n
Information Regulator does nothing<\/p>\n
Informing the IR was onerous. We emailed the IR and received an automated response stating that complaints were no longer accepted via email. We had to use the IR\u2019s content management system to file our \u201ccomplaint\u201d (we were less interested in complaining and more interested in alerting the IR to the problem, but the complaint mechanism appeared to be the only way to inform the IR of the problem).<\/p>\n
ADVERTISEMENT<\/p>\n
CONTINUE READING BELOW<\/p>\n
After navigating the IR\u2019s tedious, friction-filled system, we finally managed to lodge a complaint. We did not hear back from the IR despite the obvious urgency of the situation. The IR\u2019s annual budget is well over R100 million.<\/p>\n
We also notified the Reserve Bank and Financial Sector Conduct Authority. Other than a perfunctory, possibly automated, reply from the latter, we have not heard from either institution.<\/p>\n
Swift response from the bank<\/p>\n
On Friday at noon, we alerted the bank. Shortly thereafter, the URL and corresponding IP address became inaccessible. eNL subsequently corresponded with us. To the bank\u2019s credit it took full responsibility for the breach, is investigating it, notifying affected customers and taking steps to strengthen its security.<\/p>\n
\u201cWe would like to acknowledge that a security misconfiguration in a non-production environment led to the unintended exposure of certain data through a publicly accessible endpoint,\u201d the bank informed us.<\/p>\n
\u201cAs a bank, we remain fully accountable for the protection of customer information, regardless of whether systems are managed internally or by third-party service providers. We are formally treating this as a data leakage incident and are following all required reporting and notification processes. This includes engagement with the Information Regulator (South Africa), the South African Reserve Bank and other relevant regulatory authorities. In line with our legal obligations, we will also notify affected customers directly.\u201d<\/p>\n
ADVERTISEMENT:<\/p>\n
CONTINUE READING BELOW<\/p>\n
Read the bank\u2019s full response.<\/p>\n
On Thursday 16 April, based on the network requests made by eNL Mutual Bank\u2019s mobile app, we noticed that the ISP being used was Village Operator.<\/p>\n
Searching for this ISP on the internet search engine Shodan resulted in us finding a server belonging to eNL, hosted on IP address 102.131.62.58, and resolving to enlsystembo.co.za. We noticed that this host was flagged by the search engine as having an open directory, and upon further investigation, we confirmed this to be the case. This system has been crawled by the search engine Shodan since March, and their historic results show that the directory hosted on the server has been open since the initial crawl.<\/p>\n
Here is a summary of the data that was open to the public:<\/p>\n
Financial data<\/p>\n
Personal information (full names, SA ID numbers, addresses, emails, phone numbers)
\nAccount details (bank account numbers, balances, dates that accounts were opened)
\n\u2060Full transaction history spanning months for every account
\n\u2060Unencrypted Card Data (16-digit card numbers [PANs] as well as Track 1 and Track 2 magnetic stripe data, which can be used to directly clone cards) (this is a PCI-DSS violation, even though only a few cards appear to have been issued)<\/p>\n
Internal Bank Operations<\/p>\n
Bank Reconciliation Logs \u2013 internal EFTs, real-time clearing (RTC) reports, and Bankserv Magtape and Settlement reports
\n\u2060Internal Accounting \u2013 General Ledger (Sage) exports showing daily transaction volumes, internal codes, and internal financial movement<\/p>\n
Bank System<\/p>\n
Hardcoded database password: the database IP, username, and password was sitting in plain text inside configuration files and scripts [also a database username and password for eZaga]
\n\u2060Hardcoded email\/SMTP passwords: emails and their passwords scattered around processing scripts in plain text [belonging to noreply@ezaga.co.za]
\n\u2060SMS Service login credentials (BulkSMS.com)
\nProprietary Banking Logic including PHP source code and SQL statements responsible for sensitive operations like AVS, RTC, EFT, and internal debit routing.<\/p>\n
\u00a9 2026 GroundUp. This article was first published here.<\/p>\n
#bank #takes #swift #action #GroundUp #alerts #data #breach<\/p>\n","protected":false},"excerpt":{"rendered":"
A new bank, eNL Mutual (previously YWBN), took swift action to plug a data breach…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[4342,9889,200,6614,569,9888,1008,2610],"_links":{"self":[{"href":"https:\/\/stock999.top\/index.php?rest_route=\/wp\/v2\/posts\/4724"}],"collection":[{"href":"https:\/\/stock999.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stock999.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stock999.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stock999.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4724"}],"version-history":[{"count":0,"href":"https:\/\/stock999.top\/index.php?rest_route=\/wp\/v2\/posts\/4724\/revisions"}],"wp:attachment":[{"href":"https:\/\/stock999.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4724"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stock999.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4724"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stock999.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4724"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}