Tesco Bank hack – lessons to be learned
Ralph Lovesy, financial regulatory consultant at Kemp Little, and Krysia Oastler, data protection associate at the firm, explain how money was withdrawn from thousands of Tesco… Read more
Ralph Lovesy, financial regulatory consultant at Kemp Little, and Krysia Oastler, data protection associate at the firm, explain how money was withdrawn from thousands of Tesco Bank customers following a cyber-attack and examine the related legal issues for banks and consumers.
Tesco Bank has been the subject of what is a highly sophisticated and coordinated cyber-attack, which appears to be the most serious to date in the UK banking industry. On 5 November 2016, Tesco Bank identified suspicious activity on a number of its current accounts. Two days later it announced that some customers’ current accounts had been subject to ‘online criminal activity’ and ‘a systematic, sophisticated attack’, in some cases resulting in money being withdrawn fraudulently. It is understood that a total of £2.5m was stolen from around 9,000 accounts and that Tesco Bank has refunded this amount in full to affected customers.
Tesco Bank has stated that it knows the exact nature of the breach, but has not provided any further details. Interestingly, it has not described the breach as a ‘hack’ and has stated that no customer data were lost, none of its systems were breached and it has not been subject to a security compromise. Accordingly, it has advised customers that it has not changed—and it is not necessary for them to change—their login or password details.
The National Crime Agency said it was ‘coordinating the law enforcement response to the Tesco Bank data breach’, while the Information Commissioner’s Office (ICO) said it was ‘looking into the details of the incident’. The Financial Conduct Authority (FCA) also announced that it would investigate after its chief executive said the incident ‘looks unprecedented in the UK’.
What are the obligations of banks in terms of preventing such cyber-attacks? How could this have been prevented?
Data protection law requires organisations that process personal data to have appropriate technical and organisational measures in place to keep that personal data secure and confidential. Such measures include using encryption techniques to protect personal data at rest and in transit, monitoring and testing systems for vulnerabilities, implementing firewalls and anti-virus software, deploying updates and security patches as soon as possible once available, training staff and applying access and authentication controls on a ‘least privilege’ basis. Certification to an industry standard such as ISO270001 is a way to comply with good practice.
At this stage, it is unclear how the hackers were able to access the data and whether there was a breach of data protection laws—were Tesco’s security measures inadequate and vulnerable to attack or were the hackers highly skilled at being able to circumvent a sophisticated data security regime?
What steps must banks take in the wake of a cyber-breach?
The General Data Protection Regulation
Once an attack is detected, banks should take steps to remedy the breach, identify the data and data subjects affected (including volumes and categories of data), consider whether they need to notify their regulators (the ICO and the FCA) and make any required notifications. Once the General Data Protection Regulation, (EU) 2016/679 (the GDPR) applies from 25 May 2018, controllers of personal data will have a mandatory obligation to notify breaches affecting personal data to the ICO without undue delay and at least within 72 hours of becoming aware of the breach.
What consumer protections are afforded to banking customers who suffer financial loss as a result of this type of attack?
Rights of data subjects
Banks are generally proactive in refunding any amounts stolen to customers who have been genuine victims of fraud. However, if a customer is not able to resolve their issue with the bank, they have the right to complain to the Financial Ombudsman Service, which will reach a decision on the basis of what it regards as ‘fair and reasonable’. Customers also have the right under the Data Protection Act 1998 (DPA 1998) to claim compensation where they suffer damage or distress as a result of a breach of DPA 1998.
What are the potential consequences of this incident for Tesco Bank?
The reputational damage caused by a data breach can be significant. The damage to customer trust and business performance in the long run is very much down to how the organisation handles the breach. Having a robust response plan in place and ‘war gaming’ to test the plan are key to ensuring that the business can respond quickly and in a way that minimises the damage both to customers and the business.
The Information Commissioner and enforcementMonetary penalty notices—database
The ICO and FCA have a memorandum of understanding governing cases where an FCA-regulated entity suffers an incident affecting personal data. Both regulators have the power to issue monetary penalties/fines. The ICO currently has the power to issue monetary penalties of up to £500,000 for serious data protection breaches that are likely to cause substantial distress. Once the GDPR applies, the ICO will have the power to issue fines of up to the greater of €20m or 4% of global turnover. There is no limit on the amount of fines the FCA can impose. In the past, the FCA has taken the lead on issuing fines to financial services businesses that have breached the FCA rules and DPA 1998. The ICO also has the power to issue enforcement notices that require organisations to change the way they operate, for example, to implement further security measures to prevent further breaches from occurring. Often the cost of complying with these notices is higher than the fine that is issued.
Are there any gaps in financial services regulation regarding cyber-attacks? If so, how could the law be improved in this area?
The FCA Handbook already contains wide requirements in relation to the systems and controls that a regulated firm must have in place. In particular, a firm must have effective processes to identify, manage, monitor and report risks and internal control mechanisms. Therefore, the FCA has considerable discretion to interpret any cyber-security failings as indicative of wider failings in systems and controls. The FCA has a range of enforcement options including public censure, the power to issue unlimited fines and, perhaps most significantly, the ability to restrict or revoke a firm’s authorisation if it regards the firm’s conduct to be particularly serious.
Firms are required to scrutinise carefully any third party to which they wish to outsource the performance of any important function such as cyber-security. Further, in undertaking such outsourcing, firms need to do all they can to avoid impairing either the quality of their internal control or the ability of regulators to monitor the third party’s compliance.
Further, banks are subject to the senior manager’s regime, under which responsibility for important functions must be allocated to a designated senior manager. Therefore, the FCA will expect to see clear ownership of cybersecurity at a senior level and will not be satisfied if responsibility for such matters is delegated to someone at a more junior level. If a senior manager’s conduct were to fall below the required standard, they would be at risk of criminal sanctions.
Any further thoughts which lawyers advising in this area can take away?
The risk of cyber-attack is more significant than ever. Preparation is key to being able to limit the impact of a breach. This means knowing what data the business has and where it is stored, having appropriate security measures in place to reduce the risk of a breach occurring and implementing a data breach and incident response plan, which is regularly tested to ensure its effectiveness.
This article was first published on Lexis®PSL IP & IT on 22 November 2016. Click for a free trial of Lexis®PSL.