Case Study 3: Data Privacy Breach

at FinSecure Inc.

Submitted by:
GROUP 3
(Leader)
Lugod, Brendan Jane S.

(Members)
Almazan, Janna Ricci N.
Batangan, Renz
Boncalos, John Emhar
Burgos, Albert
Cayanong, Joana Marie D.
Dela Trinidad, Kurt
Francis, Mark Ghian M.
Guillermo, Roxanne L.
Inocentes, Mikhail Andre
Maluping, Crystal Angel
Mataverde, Athena Bea
Moriones, Rose-Ann
Paje, Jhezarine
Santillian, Kuzuii
Tulin, Roselle

Submitted to:
Dr. Javier A. Villanueva
ITP315 | Social and Professional Issues Professor
September 6, 2024
 EXECUTIVE SUMMARY

FinSecure Inc., a financial services firm, experienced a significant data breach that compromised
sensitive customer data, revealing significant weaknesses in its processes. Moreover, the
incident, primarily attributed to insufficient cybersecurity practices, exposed the company's
vulnerability to advanced cyber threats. On the other hand, a following social audit found that
the problem worsened due to inadequate handling and protection of customer data and poor data
management practices. In addition, the audit found a significant deficiency in staff training on
data security protocols, making the company more vulnerable to breaches because employees
were not properly informed and trained.

The breach had serious consequences that can lead to significant monetary damages for
FinSecure Inc. and a significant loss of customer confidence and trust. The company may suffer
a significant blow to its reputation, impacting its capacity to keep and attract customers. These
ethical issues that are pointed out need immediate action to review and enhance its cybersecurity
framework, enhance data handling procedures, and dedicate resources to extensive employee
training initiatives. By taking proactive measures to improve its security foundation, the
company can mitigate future risks and ensure its long-term sustainability in a competitive
industry.

INTRODUCTION

FinSecure Inc. joined the long list of financial service providers that suffered a critical data
privacy breach, in which sensitive information related to customers was exposed. A data breach
of such nature and its improper management could only be justified by incompetence within
cybersecurity defense of the company and poor training for its personnel in relation to protection
against data breach incidents. Besides financial, such serious consequences led to lower levels of
customer trust. The above incident underlines the dire need for ethical conduct in the financial
sector with regard to transparency, equity, and accountability.

Addressing these ethics properly is actually not only about keeping in step with the law but
building up trust and responsibility for taking care of customer information. Strong data privacy
measures offer the highest level of assurance regarding compliance with the General Data
Protection Regulation while also preventing identity theft and financial fraud. The way a
business reacts, particularly how effectively it informs customers about the incident, can have a
big impact on its reputation. The only companies with a better chance of winning back clients are
those who act quickly to fix the breach and disclose it.

As a result, the FinSecure, Inc. hacking incident developed into a formal case that warranted
further investigation, highlighting a connection between long-term customer relations and
corporate ethics.

This would go a long way toward taking accountability for ethical problems of this kind, coupled
with helping restore FinSecure's and the other financial institutions' reputations in the process of
creating a more robust and fairer financial system. The commitment to ethics on the part of the
company has brought everyone in the financial ecosystem one step closer to a safer future.

ETHICAL ANALYSIS

Data breaches have been a significant issue since the early days of the digital age. As technology
evolved and organizations increasingly stored sensitive information electronically, the risk of
unauthorized access and data breaches grew. Cheng et al. (2017), in their study published in
Wiley Interdisciplinary Reviews: Data Mining and Knowledge Discovery, observed that
significant data breaches have become increasingly frequent, with external attackers being the
primary culprits rather than insiders. Their study in Figure 1 illustrates several major breaches
over the years, demonstrating how a single incident can compromise the personal information of
hundreds of millions and lead to financial losses in the hundreds of millions of dollars.

In the context of evolving fraud tactics and data breaches, companies like FinSecure Inc. have
faced substantial challenges. FinSecure Inc., experienced significant losses and customer
dissatisfaction due to their outdated rule-based fraud detection system. Their old system couldn’t
keep up with evolving fraud tactics, leading to frequent false positives, slow response times, and
a decline in operational efficiency and customer trust. This example underscores the practical
difficulties organizations face in managing fraud detection effectively.

A recent 2023 survey of Chief Information Security Officers (CISOs) Worldwide sheds light on
the most common causes of information loss across global organizations. Figure 2 shows that
data loss is primarily caused by careless users (70.6%), compromised systems (48.1%),
misconfigured systems (45.3%), and malicious insiders (20%). This highlights the need for
organizations to prioritize user education, robust cybersecurity, and proper system configuration.
Careless behavior and system vulnerabilities not only risk organizational integrity but also
compromise personal data, emphasizing the moral obligation to protect sensitive information
through comprehensive security measures and responsible data management practices.

In the amidst of this, data privacy laws have also become more complex and strict in recent years
due to growing concerns about how personal information is used. The most used and known
regulations that have been made is the European Union’s General Data Protection Regulation
(GDPR). Under the GDPR, organizations must appoint a Data Protection Officer (DPO) to
ensure they follow data protection rules. Companies also must have Data Processing Agreements
(DPAs) if they manage data for other organizations. The law requires that data breaches be
reported to authorities within 72 hours and that affected individuals are informed quickly. It also
mandates that privacy measures be included from the start of data processing and limits the
transfer of data outside the EU to ensure ongoing protection.

Balancing fraud detection sensitivity is crucial yet challenging. A system that is too sensitive
produces many false positives, inconveniencing customers and burdening the fraud investigation
team with unnecessary alerts. On the other hand, a system that isn’t sensitive enough may miss
real fraud, exposing the organization to significant risks. FinSecure Inc.’s experience with their
outdated fraud detection system exemplifies the struggle of achieving this balance.

Insufficient employee data privacy and security training at FinSecure Inc. has resulted in
significant ethical concerns. Primarily due to a lack of emphasis on data security, employees
have not fully grasped the importance of handling customer data responsibly. This negligence
has led to financial losses and eroded customer trust.

One of the reasons for data breaches in numerous sectors is inadequate training on data privacy
and security among employees, which puts firms in serious danger. Employees who are not
properly trained and who lack security awareness could endanger the organization by handling
information by accident or becoming victims of phishing attempts because they lack security
awareness. This will result in data breaches that cost the firm a great deal of money and harm the
firm reputation. Amoresano & Yankson ( 2023 ) in their studies indicated that
companies—especially higher education institutions—suffer greatly from data breaches as a
result of employees' ignorance of proper cybersecurity policies, training, and awareness-raising,
as well as their lack of understanding of data privacy and security. This employee's inadequate
knowledge about data privacy and security could have several negative effects that lead to data
breaches.

According to a recent IBM report from 2022, IT failure was the main factor contributor to data
breaches. The most remarkable element was human error, which represented 21% of data
breaches. This data suggests that employee negligence is one of the causes of data breaches. This
emphasized how crucial it is to adequately train employees to increase their awareness of data
privacy and security. The report further stated that despite advancements in technology, such as
artificial intelligence (AI) fraud detection systems, human error still poses a serious risk.
Considering data breaches have impacted numerous businesses and organizations in recent years
and have become more prevalent, companies must ensure that employees are more accountable
and well-educated about data security and privacy.

Data breaches have far-reaching consequences that impact multiple stakeholders. Organizations
can face severe financial penalties, legal actions, and reputational damage. Addressing breaches
incurs substantial costs and can erode customer trust. Customers are vulnerable to identity theft,
privacy loss, and financial harm. Employees may also experience job insecurity, loss of personal
data, and potential legal liability. These widespread effects emphasize the urgent need for strong
cybersecurity measures and active management to protect sensitive information and reduce risks.

ACTION PLAN

Prompt intervention in the event of critical incidents such as data breaches is imperative to
preserving both the company’s operational integrity and its public standing. In this section, we
present a series of proposed action plans specifically designed to address the underlying issues
associated with such security threats. These strategies not only focus on mitigating immediate
risks but also aim to fortify the organization’s broader security framework, thereby reducing the
probability of recurrence. Through the implementation of these comprehensive measures, we
seek to enhance operational efficiency, elevate service quality, and restore stakeholder
confidence. Our approach integrates both short-term corrective actions and long-term strategic
improvements, ensuring the company’s sustained resilience against emerging risks in the digital
landscape. Here are our proposed solutions:

BREACH RESPONSE PLAN

Communication Plan

Internal Communication Notify relevant staff and stakeholders within

the organization.
Provide clear and concise information about
the breach, the types of data affected, and
steps being taken to address the issue.

External Communication Develop a public relations statement to be

released to the media and affected
individuals.
Coordinate with regulatory authorities, law
enforcement, and any third-party vendors
involved.

Incident Response Procedures

Incident Detection Monitor systems for signs of a breach, such

as unusual network activity, unauthorized
access attempts, or data loss.
Conduct a thorough investigation to
determine the nature and extent of the
breach.

Containment Isolate compromised systems to prevent

 further data loss.
Disable unauthorized access to affected
systems and data.

Investigation Gather evidence to identify the cause of the

breach and determine the affected data.
Document the incident and all actions taken.

Notification Notify affected individuals and regulatory

authorities as required by law.
Provide clear and concise information about
the breach, the types of data affected, and
steps being taken to address the issue.

Remediation Implement measures to prevent future

breaches, such as strengthening security
controls, updating systems, and conducting
employee training.
Restore compromised data, if possible.

Review and Improvement Conduct a post-incident review to identify

lessons learned and areas for improvement.
Update the breach response plan
accordingly.

RESPONSIBLE TEAM: IT, Legal, Compliance, and Executive Department

DATA SECURITY VULNERABILITIES

 STEPS SPECIFIC ACTIONS TIMELINE

Limit Data Access Limit employee access to 3 months and ongoing

only the data they need to do implementation
their jobs

Monitor Data Security Regularly monitor data

security

Encryption for sensitive data To protect data to

unauthorized access

RESPONSIBLE TEAM: IT Department

PREVENTION: Regular security audits and update to maintain security defense

IMPROVING CYBERSECURITY MEASURES

STEPS SPECIFIC ACTIONS TIMELINE

Establish strong cyber Set up firewalls and use anti 1 month for development,
security policy virus software ongoing implementation
Administer access control
Create response plan

Implement password policy Use strong passwords

Use multi factor
authentication

Keep software up to date Run regular vulnerability

audits
 Create backups of the data

Secure company devices and Monitor employee and

accounts third-party activities
Surveillance of electronic
products only for business

RESPONSIBLE TEAM: IT Department

ENHANCING EMPLOYEE TRAINING ON DATA PROTECTION

STEPS SPECIFIC ACTIONS TIMELINE

Employee Awareness Fostering employee Ongoing implementation

cybersecurity awareness
Be vigilant and proactive in
identifying and reporting
potential security issue

Avoid the risks Training area should also

address specific vulnerability
Know the various risks that
compromise of organization
data
Use strong password to
avoid hacker to access the
data

Employee Training Train your employees on

common phishing techniques
 Conduct a regular training
session
Employees should always
inform the latest threat
Always report the threat they
encounter to prevent already

Create strong password Create a strong password and

policy follow the password
complexity requirements
All do the regular password
updates

RESPONSIBLE TEAM: IT and HR Department

IMPLEMENTING STRONGER DATA PRIVACY POLICIES

STEPS SPECIFIC ACTIONS TIMELINE

Data privacy compliance Implement robust data 1 month for initial review,
framework protection measures ongoing revisions and
Assess data handling implementation
practices
 Develop privacy policies and
procedures

Training and Awareness Train employees on data

Program privacy and ongoing training
Monitor every employees
activities
Secure hiring and
termination procedures

Monitor Compliance Conducting internal audits of

Activities compliance process
Surveillance of electronic
products only for business

RESPONSIBLE TEAM: Legal and Compliance Department

STRATEGIES FOR REBUILDING CUSTOMER TRUST

STEPS SPECIFIC ACTIONS TIMELINE

Show positive progress Be transparent while Immediate upon incident

showing positive progress

Communicate Transparently Be kind, be honest and be

committed to resolving the
situation

Embrace Sincerity and Care Embrace sincerity and care

as guiding principles in all
 interactions you have with
customers

RESPONSIBLE TEAM: PR and Customer Relations Team

ENSURING COMPLIANCE WITH DATA PROTECTION REGULATIONS

STEPS SPECIFIC ACTIONS TIMELINE

Data privacy regulations Understand the regulation 1 month for appointment,

Create a data inventory audits every 6 months
Develop policies and
procedures
Train employees

Data protection Ensuring that only

authorized users can access
certain types of data

Compliance with data Understand the requirements

privacy regulations and obligations of each
regulation to ensure
compliance
Know the data that you
collect
Requiring clear policies to
ensure compliance with data
privacy regulations.
Employee understand the the
 importance of protecting
personal data

RESPONSIBLE TEAMS: IT and Legal and Compliance Department

CONCLUSION
The data privacy breach brought to light serious weaknesses in data management procedures and
cybersecurity protections, highlighting the urgent necessity for a comprehensive and thoughtful
response. By putting in place a strong framework for data privacy compliance, improving
cybersecurity procedures, and imposing demanding access restrictions, the action plan tackles
these risks. The plan includes crucial components such as the creation of more effective
cybersecurity procedures, frequent evaluations, and continuous training for staff members to
guarantee knowledge and preparedness against possible dangers. The strategy places a strong
emphasis on the value of open communication and a dedication to restoring consumer
confidence. Rebuilding trust and credibility requires both immediate and genuine interaction
with those affected and observable security measure advancements. By concentrating on these
tactics, the company may enhance the protection of confidential data, reduce potential threats,
and guarantee long-term trust and security.

The plan also emphasizes the significance of collaborating with external experts to ensure that
the most recent industry standards and practices are applied. This collaboration not only
increases the company's defenses, but it also sets a standard for continual progress. Furthermore,
the action plan involves the incorporation of cutting-edge technology such as AI-powered threat
detection and response systems, which provide real-time monitoring and rapid mitigation of any
security vulnerabilities. By cultivating a culture of awareness and accountability, the
organization hopes to establish a proactive mindset in its staff, making data security a crucial
component of their everyday operations. Lastly, this complete strategy not only addresses
immediate risks, but also provides the framework for the organization's future resilience and
security.
 REFERENCES AND APPENDICES
(1) Cheng, L., Liu, F., & Yao, D. (2017). Enterprise data breach: causes, challenges, prevention,
and future directions. Wiley Interdisciplinary Reviews Data Mining and Knowledge
Discovery, 7(5). https://doi.org/10.1002/widm.1211
(2) Statista. (2024, April 15). Causes of sensitive information loss in global businesses 2023.
https://www.statista.com/statistics/1387393/loss-sensitive-information-organizations-caus
e-worldwide/#:~:text=According%20to%20a%202023%20survey,Compromised%20syst
ems%20caused%20data%20loss.
(3) Bakare, N. S. S., Adeniyi, N. a. O., Akpuokwe, N. C. U., & Eneh, N. N. E. (2024). DATA
PRIVACY LAWS AND COMPLIANCE: A COMPARATIVE REVIEW OF THE EU
GDPR AND USA REGULATIONS. Computer Science & IT Research Journal, 5(3),
528–543. https://doi.org/10.51594/csitrj.v5i3.859
(4) The general data protection regulation. (n.d.). Consilium.
https://www.consilium.europa.eu/en/policies/data-protection/data-protection-regulation/
(5) DigitalDefynd, T. (2024, August 9). 20 AI in Finance Case Studies [2024] - DigitalDefynd.
DigitalDefynd. https://digitaldefynd.com/IQ/ai-in-finance-case-studies/
(6) Amoresano, K., & Yankson, B. (2023b). Human error - a critical contributing factor to the
rise in data breaches: A case study of higher education. HOLISTICA – Journal of
Business and Public Administration, 14(1), 110–132.
https://doi.org/10.2478/hjbpa-2023-0007
(7) Badman, A., & Badman, A. (2024, May 26). Data protection strategy: Key components and
best practices. IBM Blog. https://www.ibm.com/blog/data-protection-strategy/
(8) BasuMallick, C. (2021, October 11). What is a security vulnerability? Definition, types, and
best practices for prevention. Spiceworks Inc.
https://www.spiceworks.com/it-security/vulnerability-management/articles/what-is-a-sec
urity-vulnerability/
(9) Coos, A., & Coos, A. (2020, December 10). Five steps to take to protect your data | Endpoint
Protector. Endpoint Protector Blog.
https://www.endpointprotector.com/blog/five-steps-to-take-to-protect-your-data/
(10) Data breach prevention strategies for 2024 | Prey. (2023, March 13).
https://preyproject.com/blog/how-to-prevent-data-breaches-5-essential-tips
(11) Gallagher, K., & Gallagher, K. (2023, December 6). Data Security and Privacy: Risks, best
practices, and compliance | Endpoint Protector. Endpoint Protector Blog.
https://www.endpointprotector.com/blog/data-security-guide-what-is-data-security-threats
-and-best-practices/
(12) Gibbard, M. (2024, January 24). Preventing Data Breaches: Employee Training How-To.
https://www.linkedin.com/pulse/preventing-data-breaches-employee-training-how-to-ma
x-gibbard-cu0qe#:~:text=Employee%20training%3A%20Educate%20your%20employee
s,and%20handle%20sensitive%20information%20appropriately.
(13) How to ensure data privacy compliance? (n.d.).
https://houseofit.ph/blog/how-to-ensure-data-privacy-compliance
(14) Linao, P. (2024, April 9). How to improve cyber security: 15 ways to strengthen your
defences. Portia Linao.
https://www.officesolutionsit.com.au/blog/how-to-improve-cyber-security
(15) Solutions, D. (2023, May 25). How to Ensure Compliance with Data Privacy Regulations.
https://www.linkedin.com/pulse/how-ensure-compliance-data-privacy-regulations-101-da
ta-solutions
(16) Team, H. (2023, March 1). Understanding data privacy and how to build a data privacy
compliance program. Hyperproof.
https://hyperproof.io/resource/understanding-data-privacy/
(17) What is a Data Breach and How to Prevent It? | Fortinet. (n.d.). Fortinet.
https://www.fortinet.com/resources/cyberglossary/data-breach
(18) NIST Cybersecurity Framework: National Institute of Standards and Technology. (2018).
NIST Cybersecurity Framework Core. https://www.nist.gov/cyberframework
(19) ISO 27001: International Organization for Standardization. (2013). ISO/IEC 27001:2013
Information security management systems — Requirements for application to information
security management within an organization. https://www.iso.org/standard/270011.
burjcdigital.urjc.esburjcdigital.urjc.es
(20) GDPR: European Union. (2016). Regulation (EU) 2016/679 of the European Parliament
and of the Council of 27 April 2016 on the protection of natural persons with regard to
the processing of personal data and on the free movement of such data, and repealing
 Directive 95/46/EC (General Data Protection Regulation).
https://eur-lex.europa.eu/eli/reg/2016/679/o

APPENDIX A
Massive Enterprise Data Leak Incidents
This table presents a summary of significant enterprise data breaches that occurred between 2013
and 2015, affecting multiple industries including healthcare, business, financial, and education.
Each incident resulted in the unauthorized access to millions of records, with breach types
ranging from identity theft to financial and account access. The sources of these breaches were
either malicious insiders or outsiders, with one case attributed to a state-sponsored attack.
Estimated financial impacts for these breaches vary widely, ranging from $13 million to $714
million, highlighting the significant financial risk posed by data breaches.

APPENDIX B
Common Causes of Data Loss
This data illustrates the most frequent causes of data loss in organizations. The primary factor
contributing to data loss, as shown in the chart, is careless users, accounting for 70.6% of
incidents. This category includes employees who inadvertently expose or mishandle sensitive
data, underscoring the significant human element in cybersecurity risks.