What’s the deal with… the Tesco Bank hack?

With the glare of the world’s media trained keenly on events across the pond following Donald Trump’s historic victory in the US Presidential Elections, attention has been (albeit momentarily) diverted away from Tesco Bank’s recent woes.

What happened?

Over the course of the weekend (5 – 6 November 2016) it was reported that approximately 20,000 customers of Tesco Bank (the banking arm of the supermarket giant) saw their money vanish from their current accounts.

A further 20,000 customers reported instances of suspicious activity. The total amount stolen has not yet been revealed but some customers have cited losses of up to £2,400 each.

To date, Tesco Bank has confirmed that it has refunded around 9,000 customers up to £2.5m following the breach.

Why is it so significant?

All banks are vulnerable to cyber security breaches. Financial Fraud Action UK have said that British consumers and financial institutions lost more than £250m in 2015 – an increase of 26 per cent from 2014. However, a number of senior figures within the banking and cybercrime sectors have commented that a cyber-breach of this scale and concentration is “unprecedented”.

How did this happen?

Details are yet to be confirmed; however, according to the Financial Times, on 7 November 2016, the National Crime Agency (NCA) (who have been notified and will be leading the investigation for law enforcement) believe the hack is likely to have originated from an organised crime syndicate rather than state-sponsored actors or hacktivists. Cyber-attacks vary in terms of sophistication and at this stage, the NCA could not comment as to how they would approach their investigation.

However, experts have said that the hackers could have taken any number of routes to obtain the customer data although, given the size and speed of the attack, it is believed that hackers could have targeted a vulnerability in Tesco Bank’s central system.

Regulatory impact: what is going to happen?

According to the FT, the UK’s Information Commissioners Office (ICO) has announced that it will be “looking into the details” of the cyber-breach.

Curiously, Tesco Bank was quoted by the BBC in an article on 8 November as stating that personal data “was not compromised” in the attack. This seems a little unlikely. Although financial data will not, on its own, constitute “personal data” for the purposes of data protection law, when linked with other identifiers it is difficult to conceive how a breach, on this scale, could not compromise personal data. On this basis it seems inevitable that the ICO will conduct an in-depth investigation into how securely Tesco Bank held its customers’ data. The ICO recently demonstrated its growing intolerance towards security breaches by fining TalkTalk £400,000 for failing to keep its customers’ personal data secure.

For TalkTalk, the ICO took into account a range of factors including: the impact and potential distress that the breach would have on affected customers. This is something Tesco Bank should be concerned about. The press has already reported numerous stories of customers suffering distress due to the breach, resulting in Tesco Bank’s share price falling by 3 per cent on Monday.

A spokesperson for the ICO told IT business website, IT Pro that if, after assessing the details of the incident, it finds Tesco Bank has failed to have appropriate measures in place to keep customers’ personal data secure then it will “enforce as necessary”.

An independent expert has stated that given the sheer number of accounts that have been hacked, “the problem was really at Tesco’s end”. This does not look good for Tesco. Yes, Tesco may have won a few brownie points with the public following “Marmitegate”, but this is sure to be yet another reputational blow for the multinational retailer and household name.

While it is far too early to speculate as to the outcome of the investigations, if the ICO applies a similar approach to the Tesco Bank breach as it did with TalkTalk, Tesco Bank could end up receiving a hefty monetary penalty fine. However, there is one small mercy for the brand. A the breach occurred under the existing Data Protection regime, any fine will be limited to a value up to £500,000.

The forthcoming General Data Protection Regulation, however, provides supervisory authorities with the power to issue much more gruesome sanctions (being the higher of 4 per cent of annual worldwide turnover or EUR 20 million). It is not yet known what an equivalent fine might look like under this new regime (although clearly a compensation package of £2.5m will pale in comparison to GDPR fine).

Lessons

It is a fact of modern life: no matter how expensive or sophisticated your security systems are, no organisation is immune from a data breach (especially if it is malicious and/or it is coupled with human error). There are, however, lessons to be learnt here. Irrespective of your size or the depth of your pockets, all organisations have a duty to ensure that:

  • They have robust security and monitoring systems in place, which are appropriate for the type of data held
  • Staff are kept properly trained as to all relevant security arrangements and protocols
  • Well-structured and clear breach management procedures are in place, to answer the door, when the press and the regulators come a ‘knockin’

After all, despite what events in the US might lead you to believe, not all publicity is necessarily good publicity.

Alexandra Gill is and associate and Ben Le Page is a trainee at Collas Crill