A new bank, eNL Mutual (previously YWBN), took swift action to plug a data breach after an IT consultant contracted to GroundUp discovered it.
eNL was granted a banking licence by the Reserve Bank in January 2024. It operates online; there are no branches. The bank’s website explains that the “e” prefix denotes digital banking. NL are the initials of the bank’s founder, Nthabeleng Likotsi. The bank markets itself as the country’s “first black-owned, women-led mutual bank”.
Last Thursday (16 April), we realised the bank was making confidential customer data available on a public URL: enlsystembo.co.za and the corresponding IP address 102.131.62.58. It is important to emphasise that no cracking (hacking), password-guessing or any unlawful or legally grey activities were needed or used to access enlsystembo.co.za. Any person with an internet connection and a browser could access this URL’s file system and the data stored there.
The data leaked included personal information (full names, SA ID numbers, addresses, emails, phone numbers), bank account details (account numbers, balances) and full transaction histories. It also included unencrypted card information, as well as database credentials, which could potentially be used by an attacker to manipulate financial data.
We received legal advice that this was in breach of the Protection of Personal Information Act (Popia) and that the Information Regulator (IR) was responsible for dealing with this.
Information Regulator does nothing
Informing the IR was onerous. We emailed the IR and received an automated response stating that complaints were no longer accepted via email. We had to use the IR’s content management system to file our “complaint” (we were less interested in complaining and more interested in alerting the IR to the problem, but the complaint mechanism appeared to be the only way to inform the IR of the problem).
ADVERTISEMENT
CONTINUE READING BELOW
After navigating the IR’s tedious, friction-filled system, we finally managed to lodge a complaint. We did not hear back from the IR despite the obvious urgency of the situation. The IR’s annual budget is well over R100 million.
We also notified the Reserve Bank and Financial Sector Conduct Authority. Other than a perfunctory, possibly automated, reply from the latter, we have not heard from either institution.
Swift response from the bank
On Friday at noon, we alerted the bank. Shortly thereafter, the URL and corresponding IP address became inaccessible. eNL subsequently corresponded with us. To the bank’s credit it took full responsibility for the breach, is investigating it, notifying affected customers and taking steps to strengthen its security.
“We would like to acknowledge that a security misconfiguration in a non-production environment led to the unintended exposure of certain data through a publicly accessible endpoint,” the bank informed us.
“As a bank, we remain fully accountable for the protection of customer information, regardless of whether systems are managed internally or by third-party service providers. We are formally treating this as a data leakage incident and are following all required reporting and notification processes. This includes engagement with the Information Regulator (South Africa), the South African Reserve Bank and other relevant regulatory authorities. In line with our legal obligations, we will also notify affected customers directly.”
ADVERTISEMENT:
CONTINUE READING BELOW
Read the bank’s full response.
On Thursday 16 April, based on the network requests made by eNL Mutual Bank’s mobile app, we noticed that the ISP being used was Village Operator.
Searching for this ISP on the internet search engine Shodan resulted in us finding a server belonging to eNL, hosted on IP address 102.131.62.58, and resolving to enlsystembo.co.za. We noticed that this host was flagged by the search engine as having an open directory, and upon further investigation, we confirmed this to be the case. This system has been crawled by the search engine Shodan since March, and their historic results show that the directory hosted on the server has been open since the initial crawl.
Here is a summary of the data that was open to the public:
Financial data
- Personal information (full names, SA ID numbers, addresses, emails, phone numbers)
- Account details (bank account numbers, balances, dates that accounts were opened)
- Full transaction history spanning months for every account
- Unencrypted Card Data (16-digit card numbers [PANs] as well as Track 1 and Track 2 magnetic stripe data, which can be used to directly clone cards) (this is a PCI-DSS violation, even though only a few cards appear to have been issued)
Internal Bank Operations
- Bank Reconciliation Logs – internal EFTs, real-time clearing (RTC) reports, and Bankserv Magtape and Settlement reports
- Internal Accounting – General Ledger (Sage) exports showing daily transaction volumes, internal codes, and internal financial movement
Bank System
- Hardcoded database password: the database IP, username, and password was sitting in plain text inside configuration files and scripts [also a database username and password for eZaga]
- Hardcoded email/SMTP passwords: emails and their passwords scattered around processing scripts in plain text [belonging to noreply@ezaga.co.za]
- SMS Service login credentials (BulkSMS.com)
- Proprietary Banking Logic including PHP source code and SQL statements responsible for sensitive operations like AVS, RTC, EFT, and internal debit routing.
© 2026 GroundUp. This article was first published here.
#bank #takes #swift #action #GroundUp #alerts #data #breach