Tesco Bank has escaped with a £16.6 million fine after a cyber-attack in 2016. While the sum might seem large it could have been as much as £33.6 million. What saved Tesco was its co-operation with the Financial Conduct Authority (FCA) and not arguing over the size of the fine.
There are lessons here on both counts for other organisations, especially as the ICO flexes its GDPR muscles.
The news and size of the fine hit the Tesco share price. It started the day at 239.50, rose a little but then dropped away steadily. At close it had recovered to 236.7. Overall, not a bad result for a fine this size.
In a statement, Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA, said: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.
“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.”
What is this about?
This all goes back to 2016 when Tesco Bank was hit by a cyber-attack. The then Tesco Bank CEO Benny Higgins, who later lost his job over the incident, said 40,000 accounts saw suspicious activity during the attack. He also said that over half had money taken. There was confusion as to how much money. Initially it was claimed that up to £600 per account had been taken but that was later adjusted to £1,000.
As with many initial reports, the number of affected customers and the amount stolen continued to change. Tesco rounded the number down to 9,000 with £2.5 million stolen. Cyber security vendors quickly blamed the Tesco Bank mobile app as being at the heart of the breach.
Tesco Bank reported the incident promptly and refunded all the monies that were taken.
An updated statement on the Tesco Bank website gave more information yesterday. It said: “In November 2016, Tesco Bank was the victim of a sophisticated criminal fraud attack. This fraud did not involve the theft or loss of any customers’ data, but led to 34 transactions where funds were debited from customers’ accounts, and other customers having normal service disrupted.”
That final amount taken was £2.26 million.
Lessons for other organisations
As this was an attack on a bank, it was noticed quickly but it didn’t need to have happened at all. As the FCA statement from Steward says: “..the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started.”
The lesson here is that when you are told of a problem, act quickly and deal with it. Do not sit around and hope it will go away. In the world of cyber-attacks, advance warning is a gift not to be overlooked.
Tesco Bank was quick to put in place a redress programme. The FCO also noted that it: “..devoted significant resources to improving the deficiencies that left the bank vulnerable to the attack and instituted a comprehensive review of its financial crime controls.” In addition it made significant improvement to processes, controls and training of key staff.
The bank also cooperated with the FCA at all stages of the enquiry.
All of these contributed to Tesco Bank getting a significant reduction in the size of the fine. As the FCA and the ICO look to increase fines, cooperation appears to be the best way forward.
What does this mean
Banks will always be a key target for cyber criminals. The more people want mobility and access anytime, anywhere, without properly protecting their devices or data, the easier attacks become. However, that doesn’t mean that apps should not be secure or properly tested. In this case it seems that Tesco Bank should and could have done more to prevent the attack.
As with all cyber-attacks, there is confusion over what was initially reported and the final conclusion. There were claims that the attack started in September and that hackers were spending money in Brazil and other countries. The data seen by CyberInt has never been explained and the final conclusion differs over all but the amount taken.
Commenting on the FCA’s notice, Gerry Mallon, Tesco Bank Chief Executive, said: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.
“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”
However you look at it, Tesco Bank has gotten off lightly. The fine could have been double that which is has paid. It also had a relatively few affected customers at the end of the day. The next bank may not be so lucky.