Every Little Helps – Tesco Bank Data Breach


It’s been very quiet on the data breach front of late; that’s not to say that data breaches aren’t occurring, simply that the breaches haven’t been detected.

As  Eva Velasquez, president and CEO of America’s  Identity Theft Resource Center has said: “There are two kinds of consumers — those who know they’ve been breached, and those who don’t,”.

According the the BBC News website (here) today (November 9th) there are around 9,000 more UK consumers who have learned first hand about data breaches; they’re the customers of Tesco Bank who have had funds illegally taken from their current accounts.That’s down from the initial estimates of 20,000 compromised accounts, and Tesco say that they’ve refunded £2.5m to customers whose accounts siphoned.

Another 20,000 accounts are reported to have been compromised; that’s 29,000 of around 136,000 current accounts operated by Tesco Bank – around 21% of current accounts compromised.

Obviously this is embarrassing for Tesco Bank, but to their credit they locked their systems down before the second tranche of accounts were exploited, despite the fraudulent transactions taking place ‘out of hours’ when bank offices are likely to be understaffed.

Customers have reported the theft of amounts between twenty and six hundred pounds.

At the time of writing the vector for the attack has yet to be identified, but the scale of the breach – both in terms of numbers and geography – suggests that the bank details had been harvested from a database rather than from individual transactions – such as card skimmers on cashpoints.

Speculation in the media on Tuesday November 8th (here) suggested the fraud may have originated in Spain and Brazil.

Benny Higgins , Tesco Bank’s CEO told the BBC that he was “very hopeful” that customers would be reimbursed within 24 hours.

It’s unlikely that this data breach will be of interest to the Payment Card Industry, as it’s bank accounts rather than payment cards that have been compromised, but the Information Commissioners Office (ICO) has said that they’re looking into the case.

So, on top of reimbursing £2.5 million to customers, they’re likely to face a hefty fine from the ICO; you will recall that they recently fined Talk Talk £400k for last year’s data breach.

But even that pales when compared to the likely fines that would be imposed after May 2018 when the new European General Data Protection Regulation (GDPR – which came into force on 24th May 2016) becomes law in the UK – regardless of Brexit.

Without knowledge of what data was compromised, Tesco Bank were in breach of Article 5 (f) which reads as follows:

All personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

The penalty for such a breach is documented under Article 83:

Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.

Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: (a) the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9; 

Tesco Bank’s worldwide turnover in its preceding Financial Year (last year) 2015/16 was £955 million (Euro 1072.6 million), of which 4% is £38.2 million (42.9), although Computing suggested (here) that the GDPR fine, if levied against Tesco Group would be up to £1.9 billion. 

There are now fewer than four hundred working days until GDPR comes into force, the most significant change to data protection legislation since the introduction of the UK Data Protection Act in 1998.

Has your company started preparing?

Check out the our Personal Data Security briefing notes here.

We can help, get in touch.

Updated November 9th