The system must delete the information from mobile devices after 10 failed authentication attempts.
CWE-459: Incomplete Cleanup: The software does not properly "clean up" and remove temporary or supporting resources after they have been used.
Directive 2002 58 EC (amended by E-privacy Directive 2009 136 EC). Art. 4: Security of processing.(1a): The measures referred to in paragraph 1 shall at least protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure.
OWASP-ASVS v4.0.1 Appendix C: Internet of Things Verification Requirements.(C.25): Verify that the device wipes firmware and sensitive data upon detection of tampering or receipt of invalid message.
OWASP-ASVS v4.0.1 V8.3 Sensitive Private Data.(8.3.8): Verify that sensitive personal information is subject to data retention classification, such that old or out of date data is deleted automatically, on a schedule, or as the situation requires.