If you are in a regulated industry, even if you don’t ever breach the GDPR/DPA2018, there are additional regulations that could result in a breach and a fine. Tesco has just received a fine from the Financial Conduct Authority (FCA) for a data breach that happened in 2016.
What happened to Tesco?
In November 2016, Tesco Bank was the subject of a Cyber Attack where attackers used an algorithm to generate authentic Tesco Bank debit card numbers. Using these “virtual cards”, the attackers engaged in thousands of unauthorised debit card transactions, collecting over £2.26 million from real account holders. It took the Tesco Fraud Strategy team more than 48 hours to stop the attack and they had to call in an external team for backup support.
Although Tesco Bank’s controls stopped almost 80% of the unauthorised transactions, the Cyber Attack affected 8,261 out of 131,000 Tesco Bank personal current accounts.
The Financial Conduct Authority fined Tesco Personal Finance plc (Tesco Bank) £16,400,000 for failing to exercise due skill, care and diligence in protecting its personal current account holders during this attack.
What do you need to watch out for?
Mistakes that Tesco made when responding to the Cyber Attack were numerous, and not always with sufficient rigour, skill and urgency. These are the ones worthy of note and that we are able to learn from:
- Always have written procedures in place and follow them
Tesco Bank’s Financial Crime Operations team failed to follow written procedures to alert the on-call Fraud Strategy Analyst resulting in a significant delay in addressing the attack and mitigating the risks to its customers.
- Be careful to code any new rules correctly
Once the Fraud Strategy Team was alerted to the attack, it tried to draft a rule to block the fraudulent Brazilian transactions, but coded the rule incorrectly.
- Monitor operations closely, especially when a new rule has been implemented
Having drafted the incorrect rule, the Fraud Strategy Team failed to monitor the rule’s operation and did not discover until several hours later, that the rule was not working and the Brazilian transactions were multiplying.
- Invoke crisis management procedures as soon as possible
Tesco Bank’s crisis management procedures, including the criteria for assessing the seriousness and scale of the incident were documented, however the training materials explaining the stage at which crisis management should be invoked should have been clearer. The responsible managers should have invoked crisis management procedures earlier.
Raising awareness of incidents like this one could seriously help a business by protecting them from an unexpected fine and a big dent in their reputation. If you’re worried about the level of protection your company currently has, contact our team of specialists today on 01673 885533.