eNL Mutual Bank Exposes Customer Data in Major Security Lapse
eNL Mutual Bank, South Africa’s first black-owned, women-led mutual bank, inadvertently exposed sensitive customer data due to a security misconfiguration. The breach was discovered on 16 April 2024 by Joel Cedras, an IT consultant working with GroundUp, who found that confidential information was publicly accessible via a URL (enlsystembo.co.za) and its corresponding IP address (102.131.62.58).
The exposed data included full names, SA ID numbers, addresses, emails, phone numbers, bank account details, transaction histories, unencrypted card information, and database credentials all accessible without hacking or unauthorized access. The leak violated the Protection of Personal Information Act (POPIA), prompting GroundUp to report the incident to the Information Regulator (IR).
Despite the IR’s R100-million-plus annual budget, the reporting process was cumbersome, requiring submission through an inefficient content management system. No response was received from the IR, nor from the Reserve Bank or Financial Sector Conduct Authority, beyond an automated acknowledgment.
eNL Mutual acted swiftly upon notification, taking the exposed URL offline by Friday noon and assuming full responsibility. The bank confirmed the breach stemmed from a misconfiguration in a non-production environment and is treating it as a formal data leakage incident. It is notifying affected customers, engaging with regulators, and reinforcing security measures. The bank emphasized accountability, stating that it remains responsible for protecting customer data, whether managed internally or by third parties.
eNL Mutual, which received its banking license in January 2024, operates exclusively online under founder Nthabeleng Likotsi. The incident highlights vulnerabilities in digital banking infrastructure and regulatory response gaps.
Source: https://groundup.org.za/article/new-bank-takes-swift-action-after-groundup-alerts-it-to-data-breach/
eNL Mutual Bank cybersecurity rating report: https://www.rankiteo.com/company/enl-mutual-bank
"id": "ENL1777026556",
"linkid": "enl-mutual-bank",
"type": "Breach",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown (sensitive customer '
'data exposed)',
'industry': 'Financial Services',
'location': 'South Africa',
'name': 'eNL Mutual Bank',
'type': 'Bank'}],
'attack_vector': 'Misconfiguration',
'customer_advisories': 'Bank is notifying affected customers',
'data_breach': {'data_encryption': 'No (unencrypted card information exposed)',
'data_exfiltration': 'No evidence of data exfiltration '
'(publicly accessible without hacking)',
'personally_identifiable_information': 'Full names, SA ID '
'numbers, addresses, '
'emails, phone numbers',
'sensitivity_of_data': 'High (SA ID numbers, bank account '
'details, unencrypted card '
'information)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Data',
'Database Credentials']},
'date_detected': '2024-04-16',
'date_resolved': '2024-04-19T12:00:00',
'description': 'eNL Mutual Bank, South Africa’s first black-owned, women-led '
'mutual bank, inadvertently exposed sensitive customer data '
'due to a security misconfiguration. The breach was discovered '
'on 16 April 2024 by Joel Cedras, an IT consultant working '
'with GroundUp, who found that confidential information was '
'publicly accessible via a URL (enlsystembo.co.za) and its '
'corresponding IP address (102.131.62.58). The exposed data '
'included full names, SA ID numbers, addresses, emails, phone '
'numbers, bank account details, transaction histories, '
'unencrypted card information, and database credentials, all '
'accessible without hacking or unauthorized access.',
'impact': {'brand_reputation_impact': 'Potential damage to brand reputation '
'as a newly licensed digital bank',
'data_compromised': 'Full names, SA ID numbers, addresses, emails, '
'phone numbers, bank account details, '
'transaction histories, unencrypted card '
'information, database credentials',
'identity_theft_risk': 'High (exposure of SA ID numbers, bank '
'account details, and unencrypted card '
'information)',
'legal_liabilities': 'Violation of POPIA, potential fines and '
'legal actions',
'operational_impact': 'Bank took the exposed URL offline and '
'reinforced security measures',
'payment_information_risk': 'High (unencrypted card information '
'exposed)',
'systems_affected': 'Non-production environment '
'(enlsystembo.co.za, IP: 102.131.62.58)'},
'investigation_status': 'Ongoing (bank treating it as a formal data leakage '
'incident)',
'lessons_learned': 'Vulnerabilities in digital banking infrastructure, gaps '
'in regulatory response processes, importance of securing '
'non-production environments',
'post_incident_analysis': {'corrective_actions': 'Reinforcing security '
'measures, notifying '
'affected customers, '
'engaging with regulators',
'root_causes': 'Security misconfiguration in a '
'non-production environment'},
'recommendations': 'Improve security configurations, enhance monitoring of '
'non-production environments, streamline regulatory '
'reporting processes, reinforce third-party risk '
'management',
'references': [{'source': 'GroundUp'}],
'regulatory_compliance': {'regulations_violated': ['Protection of Personal '
'Information Act (POPIA)'],
'regulatory_notifications': 'Reported to the '
'Information Regulator '
'(IR), Reserve Bank, '
'and Financial Sector '
'Conduct Authority'},
'response': {'communication_strategy': 'Public statement acknowledging the '
'breach and assuming full '
'responsibility',
'containment_measures': 'Took the exposed URL offline by Friday '
'noon (19 April 2024)',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Reinforcing security measures, '
'notifying affected customers, engaging '
'with regulators'},
'title': 'eNL Mutual Bank Exposes Customer Data in Major Security Lapse',
'type': 'Data Leakage',
'vulnerability_exploited': 'Security misconfiguration in a non-production '
'environment'}