Regular readers may remember that back in November 2016 we blogged about a cyber attack on Tesco Bank in which money was taken from 20 000 customers and all on-line banking was suspended. At the time, Tesco Bank were seen to have managed some aspects of the incident very well: the fraud was detected promptly and an automated text system was used to alert customers. However, inbound communications were not handled so well with complaints of long delays at call centres and inadequate responses when customer finally got through.
Yesterday the Financial Conduct Authority (FCA) announced that Tesco was being fined £16.4m, stating that “the attack had been largely avoidable and that Tesco had not responded to it with sufficient rigour, skill nor urgency.” Specifically, the FCA highlights that Tesco Bank had been warned about the vulnerability but did not take action until the attack occurred. The size of the fine is much greater than the £500 000 maximum that could be imposed by the Information Commissioner’s Office (ICO) under the legislation that applied at the time but, under GDPR, we can expect to see the ICO also issuing fines of this magnitude.
You can find out more about how to protect your data in the information security section of our website.