Yes, they do; what else are usernames, passwords, and other codes, authenticated against? I think they meant that they don't store it unencrypted. That doesn't mean that it can be unencrypted, or exposed raw.
Neither is it about passwords and pins, this about the data being maliciously used to bring upon damages to their clients.
How would they know who is impacted and not impacted? Regardless, it is their appointed data controllers. IMHO, the client should know who is their data controller and who has been authenticated at any point in time to access the data. However, Standard Bank is making this incident look, they were the accountable party, and clients should hold them accountable.
Good on them dealing with the employee, but what are they going to do about the data shared with external parties? According to the bank in their own statement, they haven't been compromised, so why have a disciplinary process?
I don't like when any person, nor enterprise, speak in tongues.