Hackers Leak Standard Bank Data; Threat Actor Claims 1.2 TB Stolen

Standard Bank customer data is now publicly accessible following a significant breach. A threat actor known as Rootboy claims exfiltration of 1.2 terabytes of data, impacting millions of records.

Data stolen from Standard Bank has appeared on public platforms, confirming an earlier disclosed cybersecurity incident. Standard Bank of South Africa first reported unauthorized access to select data on March 23, providing subsequent updates in April. The breach involved internal administrative and document filing systems, not the bank's core transactional operations.

The threat actor, identified as Rootboy, claims responsibility for the breach. Rootboy asserts the exfiltration of 1.2 terabytes of data, comprising approximately 154 million SQL database rows. Access, maintained for over three weeks starting in late February, allowed movement through various internal systems. These included SharePoint, OneDrive, Power Apps, Jira, Confluence, Citrix, and several Microsoft and Oracle SQL databases. Compromised data includes account numbers, limited account information, business names, and identification or registration numbers. Standard Bank maintains that its core transactional banking systems remained secure and unaffected by the incident.

The public release of this specific personal data elevates the risk of highly personalized phishing campaigns. Attackers can leverage account and identity details to craft convincing scams, making them harder for individuals to detect. This increases the potential for fraudulent transactions, identity theft, or credential harvesting, particularly in regions with high mobile banking adoption. Standard Bank has implemented enhanced monitoring of credit bureau activity, additional transaction monitoring, and increased fraud detection across its platforms to mitigate immediate risks. The bank also prepares for the possibility of client- and company-related data being made public, which has now occurred.

Organizations must strengthen their security posture beyond perimeter defenses. Implement advanced phishing prevention technologies and conduct continuous user awareness training to educate employees on recognizing sophisticated social engineering attempts. Enforce multi-factor authentication (MFA) across all internal and customer-facing systems, adding a crucial layer of security. Regularly audit and segment administrative systems, applying the principle of least privilege to limit potential lateral movement by attackers. Deploy Data Loss Prevention (DLP) solutions to monitor and prevent unauthorized data exfiltration, safeguarding sensitive information.

The full scope of impact on affected customers and the ongoing regulatory investigation by authorities will be key areas to monitor for further developments.