A glitch in big-four bank First national Bank's (FNB's) mobile app has exposed personal information of customers applying for home loans using the digital platform. It was discovered that if an FNB client used the mobile app to apply for a home loan, they would easily see the personal details of other home loan applicants. The exposed data includes personal identifiable information, such as names, identity numbers and contact details. An FNB client who discovered the exposed data has since informed the Information Regulator, asking it to take the necessary measures against the big-four bank.

Question

A glitch in big-four bank First national Bank's (FNB's) mobile app has exposed personal information of customers applying for home loans using the digital platform. It was discovered that if an FNB client used the mobile app to apply for a home loan, they would easily see the personal details of other home loan applicants. The exposed data includes personal identifiable information, such as names, identity numbers and contact details. An FNB client who discovered the exposed data has since informed the Information Regulator, asking it to take the necessary measures against the big-four bank.
"I wish to lodge a complaint against First National Bank in respect to a breach of personal information through their banking application," the client reported to the regulator.
"Whilst applying for a home loan through the service,
I noticed that I was able to access other individuals' personal information, such as ID numbers, contact details and various financial information, which is visible to other applicants, including my personal information.
"I have documented this by way of screenshots and have evidence to support this data breach.
I believe my rights in terms of the POPI Act [Protection of Personal Information Act] have been infringed and poses a huge personal security risk," stated the client.
"Your e-mail contents have been noted and will be addressed with the responsible party," says a complaints and investigations officer of the Information Regulator in an e-mail.Under South Africa's data privacy law, the Protection of Personal Information Act (POPIA), organisations must inform the Information Regulator if they expose the personal information of data subjects to unauthorised third parties without their approval. FNB has acknowledged exposing the personal information of its clients, saying it is in the process of notifying the relevant authorities, as well as those who have been impacted.
While the financial institution has rushed to disable the app functionality in question, it did not disclose how many customers were impacted.
Says the bank in a statement: "FNB is aware of a technical error that made the information of certain home loan applicants, such as full names and ID numbers, visible to other home loan applicants who logged in via our digital channels.
FNB takes the privacy and protection of customer information very seriously, and the affected functionality has since been temporarily disabled to resolve the root cause of the issue.
We are in the process of contacting the affected customers and the appropriate regulator.
Customers requiring any assistance can contact us through Secure Chat on the FNB app."
ENB recently made sweeping changes to its brand, including a redesign of its popular banking app.
The FNB app, introduced more than a decade ago, saw its active transacting base exceed 4.7 million customers, based on results for the year ended 30 June 2022.
The data exposure comes at a time the Information Regulator is receiving an unprecedented number of reports about data breaches in South Africa.
Speaking during the Governance, Risk and Compliance 2023 conference last week, advocate Pansy Tlakula, chairperson of the Information Regulator, revealed that data breaches are a big problem in this country - much bigger than people think. "Every public body, every private body that has suffered a security compromise or data breach has to notify us - there is no threshold. Even if one person was breached, they still have to notify us. If you look at 500 (it's 564 to be precise), it means that in a month, this country suffers about 56 data breaches - major and minor ones," she revealed. "I think we are one of the highest in the world with data breaches..Based on the FNB study above, recommend the four (4) stages of the Deming (PDCA) cycle to assist with proper management of information risks..write an answer for 15 marks in paragraphs

GPT-4o mini · Answer

The Deming Cycle, also known as the Plan-Do-Check-Act (PDCA) cycle, is a robust framework for continuous improvement that can be effectively applied to the management of information risks, particularly in the context of the recent data breach at First National Bank (FNB). By utilizing the four stages of this cycle, organizations can enhance their processes to prevent future incidents and protect sensitive customer information.

1. Plan: The first stage involves identifying the problem and establishing the necessary objectives for improvement. In the case of FNB, the breach revealed a catastrophic flaw in the mobile app that allowed unauthorized access to personal information. The bank must now engage in a comprehensive risk assessment to identify vulnerabilities in their digital platforms. This involves not only assessing the current technology but also the policies and procedures that govern data protection. A thorough analysis should be performed, considering all potential risks associated with data handling. The bank should set specific, measurable objectives aimed at enhancing data security and ensuring compliance with the Protection of Personal Information Act (POPIA). This stage also requires the development of a clear action plan detailing the steps necessary for improvement, such as updating software, training staff, and enhancing security measures.

2. Do: After establishing a plan, FNB must take action to implement the devised strategies. This includes fixing the technical error in the mobile app, making sure all developers and relevant personnel are trained on best practices for data security, and conducting regular security audits. The implementation phase should be monitored closely to ensure that the steps outlined in the planning stage are executed effectively. For FNB, communication with affected customers is crucial during this stage, as transparency helps to rebuild trust. Moreover, any new measures taken should be documented thoroughly for future reference and assessment.

3. Check: The check phase involves evaluating the effectiveness of the steps taken. FNB should systematically monitor the outcomes of the changes implemented and assess whether these actions have successfully mitigated the risks of data breaches. This could include conducting audits of the mobile app, performing penetration testing, and reviewing feedback from customers regarding their experience with the app post-implementation. Evaluating the system’s performance against the initial objectives defined in the planning phase will enable the bank to determine if further enhancements are needed. It would also be beneficial to assess compliance with regulatory requirements set forth by the Information Regulator, thereby ensuring full accountability and potential avoidance of penalties.

4. Act: The final stage of the PDCA cycle is about institutionalizing the changes that proved effective during the check phase. FNB needs to make any necessary adjustments to the ongoing policies and procedures based on the insights gained. This could involve establishing a culture of continuous improvement where feedback mechanisms are reinforced for ongoing monitoring of data security protocols. Additionally, the bank should develop a risk management framework that clearly outlines protocols for identifying, reporting, and reacting to future data breaches. Training and awareness programs for employees should be regularly updated to foster an informed workforce that understands the significance of data privacy. By formalizing these practices, FNB can create a more resilient framework that not only addresses current vulnerabilities but also anticipates and mitigates future information risks.

In conclusion, implementing the PDCA cycle provides a structured approach for FNB to manage and mitigate information risks effectively. By engaging in thorough planning, actively implementing strategies, evaluating outcomes, and institutionalizing effective practices, the bank can safeguard personal information, enhance customer trust, and comply with legal requirements, thus preventing similar incidents in the future.