A glitch in big-four bank First national Bank's (FNB's) mobile app has exposed personal information of customers applying for home loans using the digital platform. It was discovered that if an FNB client used the mobile app to apply for a home loan, they would easily see the personal details of other home loan applicants. The exposed data includes personal identifiable information, such as names, identity numbers and contact details. An FNB client who discovered the exposed data has since informed the Information Regulator, asking it to take the necessary measures against the big-four bank.

Question

A glitch in big-four bank First national Bank's (FNB's) mobile app has exposed personal information of customers applying for home loans using the digital platform. It was discovered that if an FNB client used the mobile app to apply for a home loan, they would easily see the personal details of other home loan applicants. The exposed data includes personal identifiable information, such as names, identity numbers and contact details. An FNB client who discovered the exposed data has since informed the Information Regulator, asking it to take the necessary measures against the big-four bank.
"I wish to lodge a complaint against First National Bank in respect to a breach of personal information through their banking application," the client reported to the regulator.
"Whilst applying for a home loan through the service,
I noticed that I was able to access other individuals' personal information, such as ID numbers, contact details and various financial information, which is visible to other applicants, including my personal information.
"I have documented this by way of screenshots and have evidence to support this data breach.
I believe my rights in terms of the POPI Act [Protection of Personal Information Act] have been infringed and poses a huge personal security risk," stated the client.
"Your e-mail contents have been noted and will be addressed with the responsible party," says a complaints and investigations officer of the Information Regulator in an e-mail.Under South Africa's data privacy law, the Protection of Personal Information Act (POPIA), organisations must inform the Information Regulator if they expose the personal information of data subjects to unauthorised third parties without their approval. FNB has acknowledged exposing the personal information of its clients, saying it is in the process of notifying the relevant authorities, as well as those who have been impacted.
While the financial institution has rushed to disable the app functionality in question, it did not disclose how many customers were impacted.
Says the bank in a statement: "FNB is aware of a technical error that made the information of certain home loan applicants, such as full names and ID numbers, visible to other home loan applicants who logged in via our digital channels.
FNB takes the privacy and protection of customer information very seriously, and the affected functionality has since been temporarily disabled to resolve the root cause of the issue.
We are in the process of contacting the affected customers and the appropriate regulator.
Customers requiring any assistance can contact us through Secure Chat on the FNB app."
FNB recently made sweeping changes to its brand, including a redesign of its popular banking app.
The FNB app, introduced more than a decade ago, saw its active transacting base exceed 4.7 million customers, based on results for the year ended 30 June 2022.
The data exposure comes at a time the Information Regulator is receiving an unprecedented number of reports about data breaches in South Africa.
Speaking during the Governance, Risk and Compliance 2023 conference last week, advocate Pansy Tlakula, chairperson of the Information Regulator, revealed that data breaches are a big problem in this country - much bigger than people think. "Every public body,
every private body that has suffered a security compromise or data breach has to notify us - there is no threshold. Even if one person was breached, they still have to notify us. If you look at 500 (it's 564 to be precise), it means that in a month, this country suffers about 56 data breaches - major and minor ones," she revealed. "I think we are one of the highest in the world with data breaches."POPIA sets down firm frameworks that companies have to abide by to avoid fines, criminal persecution and potential reputation loss. Breaching the rules and regulations outlined by this Act can have serious financial implications for the business - repercussions that can cost a fortune and have long-lasting consequences, such as reputational damage.
The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.Based on the FNB study above, recommend the four (4) stages of the Deming (PDCA) cycle to assist with proper management of information risks..write an answer fro 15 marks

GPT-4o mini · Answer

The Deming Cycle, also known as PDCA (Plan-Do-Check-Act), is a continuous improvement framework that organizations can use to systematically manage processes and improve quality. In the context of addressing information risks, particularly highlighted by the personal data exposure incident at First National Bank (FNB), the following four stages of the PDCA cycle can be applied:

1. Plan

In this stage, the organization must develop a comprehensive plan to manage information risks and prevent future data breaches. This includes:

Risk Assessment: Conduct a thorough assessment to identify potential vulnerabilities within the mobile app and other digital platforms. Understand where sensitive information is stored and how it is accessed.
Policy Development: Create or revise information security policies that comply with relevant regulations, including the Protection of Personal Information Act (POPIA). Ensure that there are clear guidelines on data privacy, access controls, and incident response.
Training and Awareness: Develop training programs for employees to enhance their awareness and understanding of data protection best practices and to promote a culture of security within the organization.
Resource Allocation: Allocate necessary resources, including budget, personnel, and technology, to implement security measures and tools needed to protect personal information.

2. Do

Once the planning is complete, the next step is to implement the planned measures:

Implement Security Controls: Deploy technical measures to secure the application and its data. This can include encryption, access controls, and secure coding practices to mitigate vulnerabilities.
Monitor Compliance: Ensure that all employees adhere to the newly established policies and procedures related to data protection. Regularly conduct training sessions to reinforce these protocols.
Incident Response Plan: Develop and implement an incident response plan outlining the steps to be taken in the event of a data breach, including notification procedures for affected customers and authorities.

3. Check

This stage focuses on monitoring and evaluating the effectiveness of the implemented measures:

Audit and Review: Conduct regular audits of the mobile app and other systems to ensure compliance with security policies and to identify any new vulnerabilities.
Performance Metrics: Establish key performance indicators (KPIs) to assess how well the security measures are working. This could include tracking the number of data breaches, response times to incidents, and employee compliance with training requirements.
Feedback Mechanism: Set up a feedback mechanism to gather input from employees and customers regarding their experiences with data security. This information can provide insights into areas that may need improvement.

4. Act

In the final stage, the organization must act upon the findings from the previous stage:

Continuous Improvement: Based on the audit findings and performance metrics, make necessary improvements to policies, procedures, and technical measures. Adapt to emerging threats and changes in regulatory requirements.
Revising Plans: Update the risk management plan and security policies as needed. This ensures that they remain relevant and effective in addressing evolving information risks.
Report Findings: Communicate the outcomes of the evaluations and audits to all stakeholders, including regulatory bodies and affected customers, as part of transparency and accountability efforts.

Conclusion

By following the Deming PDCA cycle, FNB can systematically manage its information risks, ensuring that it protects its customers' personal data effectively. Continuous monitoring, feedback, and iterative improvements form a robust strategy to mitigate risks and enhance data security in a rapidly changing digital landscape.