The News
*Updated with news of bank’s decision.
The Commercial Bank of Ethiopia violated customers’ private data when it published hundreds of names and photographs of customers in bid to recover lost funds from an ATM network glitch incident.
International digital rights group Access Now and Ethiopia’s Centre for Advancement of Rights and Democracy both slammed the bank’s name-and-shame strategy to recoup $14 million lost during a system glitch that allowed customers to withdraw unauthorized funds back in March.
Following the sharp criticism earlier this week, the bank on Friday took down the names of customers from its various platforms saying it had recovered just over 99% of the “illegally withdrawn money.”
In a statement the bank said all names and photograph had been removed from its social media accounts “since the majority of the people whose names and images were placed there have paid for the money that was taken inappropriately.“
The bank released easily identifiable details of the customers allegedly involved after a deadline lapse during which the bank asked for the voluntary return of the money. Nearly 15,000 accounts were implicated in the transactions, including a few of the bank’s employees.
Know More
A personal data protection law was approved by Ethiopia’s parliament in the weeks following the incident, and contains, “clear provisions on the legal basis for the processing of personal data which the CBE has failed to comply with,” said a statement from the organization.
According to the new law, the bank can be challenged on the grounds of unlawful transfer to a third party, which in this case is the public, said Befeqadu Hailu, executive director at the Center for Advancement of Rights and Democracy. “Posting these sensitive data of its customers also assumes their guilt,” he said. “Even when the police catch you red-handed in a crime, they have to take you to court, they don’t have the mandate to declare you guilty.”
This is not the first time a state-owned entity has undermined privacy in Ethiopia. The statement also mentions Ethiopia’s state-owned telecom operator, Ethio-Telecom, in previous acts of data privacy breaches: “granting security authorities unlawful access to people’s information”.
Commercial bank CEO Abie Sano, in an interview given to state media, explained that it had asked for the money back repeatedly and was pushed into this step to publicize customer’s data.