Egyptian Raises Alarm Over Unity Bank’s Disclosure Of Customer Information To Third Party

An Egyptian has cried out over Unity Bank’s continued disclosure of a customer’s transaction details to him via emails since 2020.

The Egyptian third party, Adam Amin, told this newspaper that he has been receiving the said customer’s account transaction alerts in the last three years.

Mr Amin said that since 2021, he has been notifying the bank about the data breach but nothing has been done to correct it. The Egyptian added that he is worried about the safety of the customer, whose banking data may have been compromised.

In a detailed message to PREMIUM TIMES, Mr Amin explained that when he first received the mail detailing the customer’s transaction, he thought it was from scammers so he waited for some months before reaching out to the bank in 2021. He also shared copies of emails sent to the bank with this newspaper.

Despite lodging complaints at the bank, he told this newspaper that he still receives transaction alerts even after blocking Unity Bank’s mail address from his electronic mail account.

“I have engaged with them on WhatsApp several times since 2021, they were very nice and cordial,” he told PREMIUM TIMES.

“They promised to look into it but then I started to receive the emails again and went back to them and they say they will look into it. Then I followed up, a week after and they said it’s still ongoing. At some point, they told me it was done but I was still receiving the alerts.

“I started pressuring them, then they requested I email them and I did, finally they said the issue has been dealt with and then I am still receiving the statement. I messaged again and they stopped responding. I have unsubscribed and blocked them and these alerts still find their way to my mail.”

Efforts by PREMIUM TIMES to speak to the bank’s spokesperson, Matthew Obiazikwor, regarding the bank’s established protocol for addressing data breach incidents, were unsuccessful.

Multiple text messages and telephone calls placed to his known telephone numbers were not responded to.

CBN Regulation

The Central Bank of Nigeria on November 7, 2016, released the consumer protection framework to enhance consumer confidence in the financial services industry and promote financial stability, growth, and innovation.

Part five, section four of the framework says institutions must safeguard consumer data and assets, get consent for data collection, notify consumers of data exchange, keep accurate data, and review processing procedures regularly.

They are equally expected to: “Protect the privacy and confidentiality of consumer information and assets against unauthorized access, and be accountable for acts or omissions in respect thereof.

“Not transfer personal data of consumers to a third party without their express consent, except in compliance with a legal obligation.”

Previous Data Breach

On August 25, 2020, Bank Security, a Twitter handle focused on security threats in banks, reported that the database of Unity Bank was being shared online on hacker forums.

At least three other hacker forums reportedly shared the same database, according to Bank Security.

But the bank in a tweet assured its customers that it remains committed to safeguarding their personal details.

“Dear Customers, be vigilant, cyber criminals are always looking for creative ways to commit fraud.

“Do not fall for false data breach claims, unsecured and suspicious scam mails/texts/calls devised to mislead you into disclosing your personal details.

“Unity Bank places a high priority on the security and safety of our customers. Rest assured your banking information is well protected,” it said.

Tope Fasua, an economist, raised concern over the repeated attempts to contact the bank on the potential case of a mistaken email address in their system. He said that although the bank’s experience may have been a random incident, the lack of any resolution despite several attempts to rectify the situation is worrying.

“The danger is in the issues of loss of privacy on a transaction, apart from the fact that somebody else is seeing his balances, they could use it against him- fraudster piece information together these days, sometimes the banks will redact parts of the account number but the balance is there to see.

“A fraudster is looking for any useful information, the balance is one, also the full name, people who snatch phones these days are not after the phone per se, your phone in the wrong hands can get your BVN, NIN.

“You see the information is complete to get someone and even these days when they cannot take money from your account, they can use your bank details to borrow money from Fintech so it is really dangerous. As the person is getting the alert notification, he also gets important information from the bank to the account holder.”

A top bank official, who pleaded anonymity because he was not authorized to speak on the issue, said the data breach and alleged neglect of the complaints by the bank could endanger the account holder.

“The account holder could sue the bank because the person receiving the alert was fraudulent, he could use the information wrongly,” the official said.

“Emails are even worse than text messages, if you change your password, your email will be notified. The account holder could even be in grave danger if the person receiving his alert sees a huge transaction, he has his full name, and he could trace him on Facebook and rob him.”