What Lessons Can We Learn From The Tesco Bank Cyber Attack of 2016?

Tesco Bank has been fined £16.4m for security vulnerabilities that enabled cyber attackers to steal millions of pounds from their customers’ online accounts in 2016.

Back in November 2016, Tesco Bank halted thousands of transactions after many of their customers’ online accounts experienced suspicious transactions and in some cases money being taken.

This criminal activity affected up to 40,000 accounts with 9,000 of them having had money taken from their account totalling £2.26m. As a precaution, Tesco Bank halted online transactions and contactless payments, although cash withdrawals and chip and pin payments were still accepted.

The Cause of the Banking Cyber Attack

It was reported that in 2015 Tesco Bank received a fraud alert from Visa about fraudulent transactions similar to the attack in 2016, but Tesco Bank failed to further secure their systems to protect their customers’ accounts. As a result of this, and a lack of taking further preventative measures, the cyber attackers were able to carry out a successful hack.

From undergoing a thorough investigation and reviewing the evidence, the FCA said

“the crooks most likely employed an algorithm that generated authentic debit card numbers, and these “virtual” cards were then used for unauthorised transactions.”

The FCA continued…

“[the] crooks took advantage of deficiencies in the “design” and “distribution” of Tesco’s debit card, but it also highlighted other failings including the way the bank configured specific authentication and employed fraud detection rules.”

The Fine

When it comes to banking and keeping customers’ personal information safe and secure, the FCA take this very seriously. As a result of this, and Tesco Bank failing to take appropriate action to prevent the foreseeable risk of fraud, and for failing to respond to the cyber-attack with sufficient rigour, skill and urgency they were facing an initial fine of £33.5m.

However, due to Tesco Bank agreeing to settle the incident early they received a 30% discount. By further cooperating with the investigation and compensating impacted customers and halting around 80% of unauthorised transactions before they were processed, they also qualified for a further 30% bringing the total fine down to £16.4m.

Prevention is Better Than Cure

When it comes to successful hacks like these, the fines imposed don’t reflect the long-lasting damage a hack can have on a company regardless of size. For example, the security breach created a lot of bad publicity which will take time to rebuild that consumer trust, the number of staffing hours required to deal with the incident during and after, and the share prices in Tesco Plc fell.

What About GDPR

Under the General Data Protection Regulation (GDPR) which came into force in 2018, had the regulation been in effect in 2016 or the security breach happening in 2018, it is likely that Tesco would have faced a fine of £1.9bn.

Cyber Security for Financial Services

In the last year alone, the FCA has seen a rise of more than 80% of financial services companies experiencing some form of cyber-attack. As we’ve seen with technology advancements and the increase in the Internet of Things (IoT), organisations especially financial services need to stay one step ahead of the cyber attackers.

At MMRIT we have a dedicated team looking after financial service organisations just like yours. Our proactive support ensures your infrastructure is kept up to date with the latest patch management and that your infrastructure’s events are monitored and reviewed as and when they occur.

To find out more about our cyber security offering, contact our experts today.

Comments