The First National Bank (FNB) banking app inadvertently exposed the personal information of 88 home loan applicants last year.
This emerged during a pre-investigation by the Information Regulator, after ITWeb reported in February 2023 that an FNB client using the mobile app to apply for a home loan could easily see the personal details of other applicants.
This, after an FNB customer, who prefers to remain anonymous, discovered the glitch which exposed data, including personal identifiable information, such as names, identity numbers and contact details.
The client reported the matter to the Information Regulator, which enforces South Africa’s data privacy law, the Protection of Personal Information Act (POPIA).
At the time, FNB acknowledged the security hole and fixed it, but did not disclose the number of people who were impacted.
Documents seen by ITWeb show the Information Regulator has now concluded its pre-investigation into the issue.
The incident related to FNB home loan customers who submitted applications through the nav>> Home feature available on the FNB app and FNB online banking channel interfaces.
The functionality was created to cater for individual customers to capture their home loan applications (unassisted) and for FNB employees (FNB consultant-assisted capability) to capture home loan applications on behalf of customers.
When the nav>>Home feature (specifically the assisted capability) is utilised by authenticated users (customers or employees), the feature validates whether the user is a customer or FNB employee.
FNB customers are prompted, in the process, to select a consultant from the provided list, which will enable the consultant to capture the home loan application on behalf of the customer.
The crux of this privacy incident lies in the technical error which occurred on the assisted capability of the nav>>Home feature.
Identity error
According to the documents, the access permissions assigned to FNB employees were made available to 3 173 authenticated individuals, who were FNB home loan customers, referred to as the “unintended recipients”.
These unintended recipients were erroneously classified and identified as FNB employees, due to the technical and data quality issues on the nav>>Home feature.
Because of this error, if one of the unintended recipients clicked on the nav>>Home feature and proceeded to click on “my applications on behalf of someone else” feature, it would have directed them to a webpage or app page that reveals in-progress home loan applications relating to other FNB home loan customers.
For each application, the unintended recipient had the ability to view the full name, surname and identification number of any one of the 88 impacted data subjects, the documents reveal.
However, any one of these unintended recipients also had the ability to select a specific home loan application and, in doing so, would be able to access and view any captured personal information which formed part of that in-progress home loan application.
Despite the fact that the 3 173 unintended recipients (who were all FNB authenticated customers) were erroneously classified as employees, only 696 customers using the nav>>Home feature on the mobile banking app did scroll through the list of in-progress home loan applications (88 impacted data subjects), the documents show.
Responding to ITWeb’s queries, the Information Regulator confirmed 88 data subjects were impacted.
Moreover, the documents show customers who were incorrectly provisioned to use this functionality would not have been aware they had the ability to use this functionality, which should only be available to FNB employees, although 696 customers did discover this.
Chris Labuschagne, CEO of Home Structured Lending at FNB, tells ITWeb via e-mail: “FNB became aware of an incident caused by limited access permissions assigned to FNB employees on a function on our app, which were erroneously made available to a limited number of authenticated customers.
“The bank reported the matter to the Information Regulator and has been adhering to their requests. In addition, impacted home loan applicants were notified of the incident, while fraud monitoring on the affected home loan applicant accounts was implemented.”
Labuschagne adds the matter was remediated by suspending the impacted app functionality, fixing the root cause identified and testing the solution before making the functionality available again.
“The bank takes the protection of customer information very seriously and always endeavours to ensure appropriate protection measures are in place,” he says.
The Information Regulator tells ITWeb via e-mail: “A complaint was lodged in this respect and the regulator has communicated with the complainant accordingly. The pre-investigation was concluded; however, the regulator then embarked on conducting an own initiative assessment into the compliance with POPIA by FNB.”
It adds that no corrective measures have been taken with FNB. “The regulator, on the basis of the information before it, conducted the own initiative assessment in October 2023 and the matter is currently still ongoing.”
Protecting privacy
In a statement to ITWeb, the client who reported the matter says: “I am still deeply worried about the exposure of my personal and others’ personal details to attacks. The likelihood that unauthorised individuals can access highly-classified data is a matter worth being afraid of due to possibilities of vile intentions, including unauthorised selling and abuse of such information, prompting careful consideration of all available avenues to address the breach.
“In spite of these fears, I applaud how thorough the regulator has been in its investigations and transparent communications with us during this process.
“The enormity of this incident underlines the need for robust data security mechanisms for protecting people’s rights to privacy.
“I am hopeful this incident will serve as a catalyst for heightened awareness and strengthened data protection measures, not only within FNB, but across all entities entrusted with handling individuals’ personal information.”
Share