New bank takes swift action after GroundUp alerts it to data breach
But the Information Regulator is missing in action
To its credit eNL Mutual Bank took full responsibility and acted swiftly when GroundUp’s IT consultant discovered a data breach. Archive photo: Ashraf Hendricks
- GroundUp’s IT consultant, Joel Cedras, discovered that eNL Mutual Bank had inadvertently made confidential customer information, including transactions, publicly available.
- The bank, to its credit, responded swiftly, removing the public facing URL and taking full responsibility for the error.
- But we also informed the Information Regulator, an institution that is funded with substantially more than R100-million a year. The process of informing the regulator was cumbersome and we’ve received no response from it.
A new bank, eNL Mutual (previously YWBN), took swift action to plug a data breach after an IT consultant contracted to GroundUp discovered it.
eNL was granted a banking licence by the Reserve Bank in January 2024. It operates online; there are no branches. The bank’s website explains that the “e” prefix denotes digital banking. NL are the initials of the bank’s founder, Nthabeleng Likotsi. The bank markets itself as the country’s “first black-owned, women-led mutual bank”.
Last Thursday (16 April), we realised the bank was making confidential customer data available on a public URL: enlsystembo.co.za and the corresponding IP address 102.131.62.58. It is important to emphasise that no cracking (hacking), password-guessing or any unlawful or legally grey activities were needed or used to access enlsystembo.co.za. Any person with an internet connection and a browser could access this URL’s file system and the data stored there.
The data leaked included personal information (full names, SA ID numbers, addresses, emails, phone numbers), bank account details (account numbers, balances) and full transaction histories. It also included unencrypted card information, as well as database credentials, which could potentially be used by an attacker to manipulate financial data.
We received legal advice that this was in breach of the Protection of Personal Information Act (POPIA) and that the Information Regulator (IR) was responsible for dealing with this.
Information Regulator does nothing
Informing the IR was onerous. We emailed the IR and received an automated response stating that complaints were no longer accepted via email. We had to use the IR’s content management system to file our “complaint” (we were less interested in complaining and more interested in alerting the IR to the problem, but the complaint mechanism appeared to be the only way to inform the IR of the problem).
After navigating the IR’s tedious, friction-filled system, we finally managed to lodge a complaint. We did not hear back from the IR despite the obvious urgency of the situation. The IR’s annual budget is well over R100-million.
We also notified the Reserve Bank and Financial Sector Conduct Authority. Other than a perfunctory, possibly automated, reply from the latter, we have not heard from either institution.
Swift response from the bank
On Friday noon we alerted the bank. Shortly thereafter the URL and corresponding IP address became inaccessible. eNL subsequently corresponded with us. To the bank’s credit it took full responsibility for the breach, is investigating it, notifying affected customers and taking steps to strengthen its security.
“We would like to acknowledge that a security misconfiguration in a non-production environment led to the unintended exposure of certain data through a publicly accessible endpoint,” the bank informed us.
“As a bank, we remain fully accountable for the protection of customer information, regardless of whether systems are managed internally or by third-party service providers. We are formally treating this as a data leakage incident and are following all required reporting and notification processes. This includes engagement with the Information Regulator (South Africa), the South African Reserve Bank and other relevant regulatory authorities. In line with our legal obligations, we will also notify affected customers directly.”
Read the bank’s full response.
Technical details of how the URL was found and what was being leaked
On Thursday 16 April, based on the network requests made by eNL Mutual Bank’s mobile app, we noticed that the ISP being used was Village Operator.
Searching for this ISP on the internet search engine Shodan resulted in us finding a server belonging to eNL, hosted on IP address 102.131.62.58, and resolving to enlsystembo.co.za. We noticed that this host was flagged by the search engine as having an open directory, and upon further investigation, we confirmed this to be the case. This system has been crawled by the search engine Shodan since March, and their historic results show that the directory hosted on the server has been open since the initial crawl.
Here is a summary of the data that was open to the public:
Financial data
- Personal information (full names, SA ID numbers, addresses, emails, phone numbers)
- Account details (bank account numbers, balances, dates that accounts were opened)
- Full transaction history spanning months for every account
- Unencrypted Card Data (16 digit card numbers [PANs] as well as Track 1 and Track 2 magnetic stripe data, which can be used to directly clone cards) (this is a PCI-DSS violation, even though only a few cards appear to have been issued)
Internal Bank Operations
- Bank Reconciliation Logs - internal EFTs, real time clearing (RTC) reports, and Bankserv Magtape and Settlement reports
- Internal Accounting - General Ledger (Sage) exports showing daily transaction volumes, internal codes, and internal financial movement
Bank System
- Hardcoded database password: the database IP, username, and password was sitting in plain text inside configuration files and scripts [also a database username and password for eZaga]
- Hardcoded email/SMTP passwords: emails and their passwords scattered around processing scripts in plain text [belonging to noreply@ezaga.co.za]
- SMS Service login credentials (BulkSMS.com)
- Proprietary Banking Logic including PHP source code and SQL statements responsible for sensitive operations like AVS, RTC, EFT, and internal debit routing
Support independent journalism
Donate using Payfast
Don't miss out on the latest news
We respect your privacy, and promise we won't spam you.
Previous: A shameful judicial record
© 2026 GroundUp. This article is published under the GroundUp Republication Licence Version 1.0. Email info@groundup.org.za to request permission to republish.