Tesco Bank could be fined millions of pounds following its data breach that affected 40,000 customer accounts, with 20,000 of them actually having money taken from their accounts.
This is awful – and in an age where data breaches and cyber attacks are on the rise, people want to be assured that their data and their finances are safe; but that’s getting harder as it feels as though these big data breaches are happening all the time?
Background to the cyber-attack
Tesco fell victim to a “systematic and sophisticated” attack when 20,000 customer bank accounts were accessed. A full investigation has been initiated by the National Crime Agency, and city regulators are looking to penalise the bank for its inadequate protection.
This is also thought to be the first time a bank has acted very publicly about such an attack.
The Bank was forced to inform their customers that all online transactions would be suspended until they could “bring things back into control”, after they detected fraudulent activity across their customers’ accounts.
Following the cyber-attack, Tesco said that it was their priority to ensure that customers were adequately protected. It is arguable that it’s a little too late since the damage has already been done.
As the cyber-attack is part of a criminal investigation, very few details surrounding the nature of the attack have been published to date. However, head of Tesco Bank, Benny Higgins, said he knew “exactly” what the attack was.
If Tesco is found to have provided inadequate protection for their customers, they will probably have to pay the price, and it’s not looking cheap either. The regulators, which include the Financial Conduct Authority (FCA), and the Bank of England’s Prudential Regulation Authority (PRA), are investigating the matter.
The FCA are seeking a response and explanation from the attack. Both authorities are tasked with regulating and supervising banks and other financial services. The FCA and PRA have the power to impose penalties, which was shown two years ago when they fined the Royal Bank of Scotland (RBS) £56 million after an ‘unacceptable’ systematic failure affecting 6.5 million customers over a number of weeks. RBS’ failures meant millions of customers were unable to carry out their transactions: transactions that were integral to businesses and personal account holders. Since then, RBS has pumped in millions of pounds to improve its computer systems, and I suspect Tesco Bank may do the same if they’re found to have breached any data protection rights of their customers.
The Information Commissioner’s Office (ICO) are also looking into the matter, as they fight to press businesses to have appropriate measures in place to handle their customers’ data in a secure and sensitive way. The ICO can also impose fines on companies like Tesco where a breach of data protection is found. This is not uncommon: TalkTalk was fined £400,000 for their failure to protect their customers’ personal details in the big breach from last year.
No financial risk?
Mr Higgins has pledged that all financial costs will be borne by the bank, ensuring that customers will not be at any financial risk.
But we all know that this can’t really be true: customers must be at some sort of risk of a further cyber-attacks! Once the attackers have access to sensitive information, they could commit further criminal acts; e.g. through identity fraud.
All stolen money has supposedly been returned to the Bank’s customers, although Tesco has not mentioned any compensation schemes. To put this into perspective, cybersecurity experts said that the scale of the attack was “unheard of in UK banking” and a senior researcher stated it “is the biggest incident that I can think of in banking terms”. Therefore, more should be done to compensate their customers and to prevent these kinds of attacks again.
IMPORTANT: advice on this page is intended to be up-to-date for the 'first published date'.
Request a Callback from our team!
Fill out our quick call back form below and we’ll contact you when you’re ready to talk to us.
All fields marked * are required.
You have the right to object to the processing of your personal data.