Tesco Could Have Been Facing £2bn Fine After The Bank Hack

Uploaded on 2016-11-23 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-Financial

Tesco Bank may have refunded £2.5m to its current account customers following the recent attack but its parent company could have been facing a fine of nearly £2bn if the breach had happened under the EU General Data Protection Regulation (GDPR), coming into force in May 2018.

Tesco Bank had a turnover of £955m in the year to the end of September 2016, according to Tesco's latest accounts, but the parent firm filed a turnover of £48.4bn.

Under the GDPR, that could subject the company to a fine of up to 4% of worldwide group turnover, equaling £1.94bn, with possible class-action lawsuits on top.

On the 11th November the bank confirmed normal service had resumed following the temporary suspension of online transactions from current accounts.

It also insisted that personal data was not compromised as a result of fraud that took place over the weekend of November 5-6 and that online transactions had been suspended to prevent criminal activity.

Tesco Bank chief executive Benny Higgins commented: “Our first priority throughout this incident has been protecting and looking after our customers and we’d again like to apologise for the worry and inconvenience this issue has caused.

“We’ve now refunded all customer accounts affected by fraud and lifted the suspension of online debit transactions so that customers can use their accounts as normal. We’d also like to reassure our customers that none of their personal data has been compromised.”

After Tesco’s are more Banks Cyber Vulnerable?

Consumers worried about falling victim to online banking fraud should consider banks that give customers card readers and avoid those which rely on text messages, according to leading security expert Graham Cluley.

He was speaking as Tesco Bank continued to deal with the fallout from the “systematic, sophisticated attack” that resulted in £2.5m being taken from around 9,000 current account holders.

Meanwhile, another expert says that the Tesco attack could be the first of many, and banks should be forced by regulators to up their game.

Experts have suggested that the cyber-attack on Tesco Bank could be an inside job. Cyber criminals managed to steal money from more than 20,000 accounts at nearly the same time in automated fashion.

The bank was forced to suspend online banking for all its 136,000 customers after money, in some cases several thousand pounds, was stolen from accounts. It is thought much of it ended up in Spain and Brazil.

Although the number of customers affected was later downgraded from the original 20,000, Tesco has declined to reveal how the money was taken. It did say that personal data had not been compromised, leading some experts to suggest that the fraudsters had gained debit card details, or found a vulnerability in its app.

The National Crime Agency is investigating, but questions are already being asked about levels of security.

It has emerged that Tesco Bank used to issue customers with card readers, small devices that generate a unique passcode when you insert your card and key in your pin. These typically authorise your login and certain transactions. But the bank later moved to mobile phone verification, where it sends a code to your handset.

Cliff Moyce, global head of financial services at technology firm DataArt, told Guardian Money that the financial regulators need to take a stronger line if further incidents are to be prevented.

Moyce, who has worked in financial security for more than 25 years, says Tesco Bank customer losses were “almost certainly” not the result of a TalkTalk-style outside hack, but were more likely caused by a failure of its IT security and data protection processes.

“No bank can ever claim to be 100% secure and attacks by fraudsters are a fact of life. The problem is that the banks need to do a lot better, the regulators need to be forcing them to adopt the best practice… unless this happens it will only be a matter of time before there is another similar episode at another bank,” he says.

One line of investigation is likely to focus on the possibility of an “economic hack”, says Moyce, whereby an offshore employee is offered multiples of their annual salary in return for a tranche of customer data. One thing that might raise eyebrows is that the bank’s staff were seemingly encouraged to use their own smartphones and tablets for work, a trend commonly known as “bring your own device”, or BYOD.

In a 2015 interview Tesco Bank’s then chief information officer, Chris Brocklesby, revealed how he had “championed” BYOD, adding: “A trial has been successful and we will fully roll out in 2015. The initial release will be for phones and tablets.”

Moyce, who admits he has no idea if this was taken up at Tesco Bank, says such a move would be controversial. “BYOD always brings risks, especially in the areas of breaches of the UK Data Protection Act, as it is too easy for confidential and sensitive information to end up in a personal device that may be lost, sold or taken to another employment. There is also a risk of introducing malware into a secure network.”

He suggested good BYOD policies, implemented rigorously, can reduce the risks to the same level as any company-supplied devices. The question is whether your bank is operating good policies and practices.

Professor Alan Woodward, banking security expert at the University of Surrey, says he was surprised Tesco has been so coy about what actually happened. “The fact they have said that customers’ personal data was not compromised suggests that the hackers may have harvested customers’ debit card details and then used them in an automated mass attack. They really need to come out and give more details.”

In October 2016 the consumer group Which? criticised some of Britain’s biggest banks for failing to invest in security systems that would better protect their customers from fraudsters. It tested the UK’s 11 biggest banks and building societies and found that the security at five was not good enough.

Other Recent Bank Attacks

Two of Russia’s largest banks, Sberbank (SBER.MM) and Alfa Bank, say they have been hit by cyber-attacks in recent days.

Cybersecurity firm Kaspersky Lab said the distributed denial of service (DDoS) attacks represented the first major wave of such attacks on Russian banks this year and that at least five of the country’s largest banks had been targeted.

Russia has been on high alert for cyber threats after US Vice President Joe Biden said in October that Washington would retaliate against alleged Russian hackers “at the time of our choosing” following what the United States said was a campaign of cyber-attacks against Democratic Party organisations.

The source of this week’s attacks was unknown, however, and neither of the two Russian banks, nor Kaspersky, linked them to Biden’s comments.

Kaspersky said Russian banks were regularly subject to DDoS attacks, in which those conducting the attack flood the target with junk Internet traffic to disrupt its computer systems.

DataIQ:      Guardian:     InformatioSecurity:  AlJazirah:   

 

 

 

 

« Russia To Block LinkedIn
24 Cyber Criminals Arrested »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

SureCloud

SureCloud

SureCloud is a Governance, Risk and Compliance (GRC) and Cybersecurity Solutions provider.

ObserveIT

ObserveIT

ObserveIT helps companies identify & eliminate insider threats. Visually monitor & quickly investigate with our easy-deploy user activity monitoring solution.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Zettaset

Zettaset

Zettaset’s XCrypt Data Encryption Platform delivers proven protection for Object, Relational/SQL, NoSQL, and Hadoop data stores…in the cloud and on-premises.

ANIS

ANIS

ANIS represents the interests of Romanian IT companies and supports the development of the software and services industry.

Trusona

Trusona

Trusona is a pioneer and leader in passwordless two-factor authentication (2FA).

OpenZeppelin

OpenZeppelin

OpenZeppelin builds developer tools and performs security audits for distributed systems that power multimillion-dollar economies.

NeuroChain

NeuroChain

NeuroChain is an intelligent ecosystem that is more secure, more reliable and much faster than blockchain.

Cybil

Cybil

Cybil is a publicly-available portal where members of the international cyber capacity building community can find and share information to support the design and delivery of programs and projects.

ANSEC IA

ANSEC IA

ANSEC is a consultancy practice providing independent Information Assurance and IT Security focussed services to customers throughout the UK, Ireland and internationally.

Testhouse Ltd

Testhouse Ltd

Testhouse is a thought leader in the Quality Assurance, software testing and DevOps space. Founded in the year 2000 in London, UK, with a mission to contribute towards a world of high-quality software

Cyberguardians

Cyberguardians

Cyberguardians is a team of experienced cybersecurity experts and consultants who always believe in the value and a high level of cybersecurity services to clients.

Labaton Sucharow

Labaton Sucharow

Standing on the horizon of law and technology, our Cybersecurity and Data Privacy Practice helps to protect consumers who have been harmed by businesses’ failures to safeguard their customers' data.

CyberSecureRIA

CyberSecureRIA

We founded CyberSecureRIA specifically to secure and support RIAs. We exist to secure SEC-registered RIAs, and keep them compliant with cybersecurity regulations.

Center for Cyber Security Studies & Research (CFCS2R)

Center for Cyber Security Studies & Research (CFCS2R)

CFCS2R's mission is to empower individuals, organizations, and governments with the knowledge and tools necessary to protect against cyber threats.

Cythera

Cythera

Cythera is an Australian cyber security company with in-house cyber security professionals providing world-class cyber protection to medium to large companies all over Australia.