- Standard Bank became aware of a data breach on its LookSee platform on 30 November.
- It notified its customers some days later - on 9 December.
- The bank says it first had to get to the bottom of the issue first, and the law allows for that.
Standard Bank says it took several days to disclose the latest data breach on its LookSee platform because its immediate focus was to get to the bottom of the issue first and understand how serious it was.
The banking group informed the public on 9 December that homeowners' data was compromised by a data breach on the LookSee platform. The platform is an online property guide that leverages Lightstone data to help SA homeowners manage their properties by providing house values and insights into communities where they are located, among other things.
Data of up to 745 000 registered properties was compromised.
"Our immediate focus was on minimising the impact to the data subjects, determining the scope of the compromise and ensuring that the necessary due diligence was given to ensure any hasty steps taken did not impede any legal and criminal investigation," said Standard Bank in a short statement.
Business Day reported that Standard Bank knew about the breach on 30 November, nine days before communicating the problem to the public.
Standard Bank said it and Lightstone informed the Information Regulator "as soon as reasonably possible" after discovering the breach.
Section 22(2) of the Protection of Personal Information Act (POPIA) states that once a bank or any other institution has reasonable grounds to believe its data was accessed or acquired by any unauthorised person, it must notify the Information Regulator and people impacted "as soon as reasonably possible after the discovery of the compromise".
The problem, however, is that the Act doesn't specify what "soon as reasonably possible" means in terms of days institutions can take after discovering the breach.
It just says that companies must take into account the legitimate needs of law enforcement and what they need to determine the scope of the compromise. It also affords them time to determine what they need to restore the integrity of their information system.
However, the Act is clear that affected companies may only delay notifying the affected customers if authorities investigating it or the Regulator believe that doing so will impede a criminal investigation.
Standard Bank said its notification was in line with POPIA. But it did not answer Fin24's questions on whether any customer was prejudiced by the delay and didn't provide information on the kind of data the culprits laid their hands on. It also would not say whether the breach was a result of a hack or an unauthorised third party accessing the data.
Get the biggest business stories emailed to you every weekday.
Go to the Fin24 front page.