A glitch in big-four bank First national Bank's (FNB's) mobile app has exposed personal information of customers applying for home loans using the digital platform. It was discovered that if an FNB client used the mobile app to apply for a home loan, they would easily see the personal details of other home loan applicants. The exposed data includes personal identifiable information, such as names, identity numbers and contact details. An FNB client who discovered the exposed data has since informed the Information Regulator, asking it to take the necessary measures against the big-four bank.

Question

A glitch in big-four bank First national Bank's (FNB's) mobile app has exposed personal information of customers applying for home loans using the digital platform. It was discovered that if an FNB client used the mobile app to apply for a home loan, they would easily see the personal details of other home loan applicants. The exposed data includes personal identifiable information, such as names, identity numbers and contact details. An FNB client who discovered the exposed data has since informed the Information Regulator, asking it to take the necessary measures against the big-four bank.
"I wish to lodge a complaint against First National Bank in respect to a breach of personal information through their banking application," the client reported to the regulator.
"Whilst applying for a home loan through the service,
I noticed that I was able to access other individuals' personal information, such as ID numbers, contact details and various financial information, which is visible to other applicants, including my personal information.
"I have documented this by way of screenshots and have evidence to support this data breach.
I believe my rights in terms of the POPI Act [Protection of Personal Information Act] have been infringed and poses a huge personal security risk," stated the client.
"Your e-mail contents have been noted and will be addressed with the responsible party," says a complaints and investigations officer of the Information Regulator in an e-mail.Under South Africa's data privacy law, the Protection of Personal Information Act (POPIA), organisations must inform the Information Regulator if they expose the personal information of data subjects to unauthorised third parties without their approval. FNB has acknowledged exposing the personal information of its clients, saying it is in the process of notifying the relevant authorities, as well as those who have been impacted.
While the financial institution has rushed to disable the app functionality in question, it did not disclose how many customers were impacted.
Says the bank in a statement: "FNB is aware of a technical error that made the information of certain home loan applicants, such as full names and ID numbers, visible to other home loan applicants who logged in via our digital channels.
FNB takes the privacy and protection of customer information very seriously, and the affected functionality has since been temporarily disabled to resolve the root cause of the issue.
We are in the process of contacting the affected customers and the appropriate regulator.
Customers requiring any assistance can contact us through Secure Chat on the FNB app."
FNB recently made sweeping changes to its brand, including a redesign of its popular banking app.
The FNB app, introduced more than a decade ago, saw its active transacting base exceed 4.7 million customers, based on results for the year ended 30 June 2022.
The data exposure comes at a time the Information Regulator is receiving an unprecedented number of reports about data breaches in South Africa.
Speaking during the Governance, Risk and Compliance 2023 conference last week, advocate Pansy Tlakula, chairperson of the Information Regulator, revealed that data breaches are a big problem in this country - much bigger than people think. "Every public body,
every private body that has suffered a security compromise or data breach has to notify us - there is no threshold. Even if one person was breached, they still have to notify us. If you look at 500 (it's 564 to be precise), it means that in a month, this country suffers about 56 data breaches - major and minor ones," she revealed. "I think we are one of the highest in the world with data breaches."POPIA sets down firm frameworks that companies have to abide by to avoid fines, criminal persecution and potential reputation loss. Breaching the rules and regulations outlined by this Act can have serious financial implications for the business - repercussions that can cost a fortune and have long-lasting consequences, such as reputational damage.
The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.Identify the risk treatment criteria that can be applied at the strategic level by
FNB, in the above case, to document all risks, where consequences for the firm could be dire, as well as emerging risks that could cause larger troubles in the future if they are not monitored carefully?Write an answer for 15 marks

GPT-4o mini · Answer

To effectively mitigate risks arising from the recent data breach incident at First National Bank (FNB), strategic risk treatment criteria must be established. These criteria should focus on documenting and addressing both current and emerging risks, which, if left unchecked, could lead to severe consequences for the bank. Below are key risk treatment criteria that FNB can apply at the strategic level:

1. Risk Identification and Documentation

Comprehensive Risk Assessment: Implement a rigorous risk assessment process to identify all potential risks related to the technology, operations, and data management. This should include the identification of vulnerabilities within the mobile app and potential unauthorized access points.
Documentation of Risks: Maintain a detailed risk register that documents all identified risks categorized by severity, potential impact on customer trust, financial implications, and compliance failures under the Protection of Personal Information Act (POPIA).

2. Incident Response and Management

Non-Compliance and Incident Reporting: Establish protocols for the immediate reporting of data breaches to the Information Regulator and affected customers as mandated by POPIA. Ensure a clear chain of communication is outlined for internal and external stakeholders.
Crisis Management Plan: Develop a robust crisis management plan that includes steps for public communication, rectification of technological faults, and strategies to restore customer confidence after a breach.

3. Regulatory Compliance

Adherence to POPIA: Ensure continuous compliance with POPIA, including regular audits of data handling processes and frequent training for staff on privacy regulations and ethical data management.
Establish a Compliance Framework: Create a comprehensive compliance framework to monitor the adherence to data protection laws and regulations, ensuring that any breach leads to immediate corrective actions.

4. Technology Evaluation and Upgrades

Technology Audit: Conduct regular audits of existing technology and systems, specifically focusing on the mobile app’s security and privacy settings. This will help identify potential loopholes that can be exploited.
Investment in Secure Technologies: Allocate resources towards upgrading security infrastructure, implementing advanced encryption methods, and utilizing secure coding practices. Ensure that robust vulnerability testing is part of the development cycle.

5. Staff Training and Awareness

Regular Training Programs: Implement continuous training programs for employees at all levels to foster a culture of data protection and privacy awareness. Ensure employees understand their roles in maintaining data security and the implications of non-compliance.
Phishing and Security Awareness Campaigns: Conduct regular campaigns to educate staff about potential security threats and phishing attacks to reduce human error that may lead to data breaches.

6. Monitoring and Continuous Improvement

Establish a Monitoring Framework: Develop a framework for ongoing monitoring of data usage and access patterns within digital channels. This includes regular reviews of activity logs and alerts for suspicious behavior.
Feedback Mechanisms: Create channels through which customers can report any discrepancies related to their data, thus enabling early identification of potential security issues.

7. Stakeholder Engagement and Communication

Transparent Communication Strategy: Maintain open lines of communication with customers regarding data privacy practices and any actions being taken post-breach. This transparency can help rebuild trust.
Engagement with Regulators: Foster an ongoing relationship with the Information Regulator to stay informed about best practices, compliance updates, and industry benchmarks for data protection.

8. Risk Transfer

Insurance Coverage: Evaluate and obtain cyber liability insurance that can help manage financial risks associated with data breaches, ensuring the bank is protected against significant financial losses.

Conclusion

Overall, adopting these strategic risk treatment criteria will allow FNB to not only address current risks stemming from the data breach but also to identify and mitigate emerging risks that could result in more significant issues in the future. Proactively managing these areas will be essential for maintaining customer trust, adhering to regulatory requirements, and protecting the organization’s reputation.