In recent weeks, we have seen a number of large and successful cyber attacks against a range of companies across different market sectors. Witness the British Airways attack last month when 380,000 customers had their personal and credit card details stolen. The recent Facebook attack last week, exposing 50 million user accounts to fraud, is another example of the scale of the problem.
Today, Tesco Bank were fined a total of £16,400,000 by the Financial Conduct Authority (FCA) for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack that took place in November 2016, during which some 9,000 customers lost £2.26 million. It is clear that the FCA has taken a far more rigorous approach in dealing with this breach that would have been the case prior to the new European Union General Data Protection Regulation (GDPR) coming into force. Under previous UK regulations, the maximum fine would have been £500,000.
It is clear that the new regulator for GDPR, the FCA in the UK, will brook no nonsense when it comes to cyber breaches, and particularly in relation to Financial Services firms. The FCA strongly believes that all firms, and especially financial services firms, can and should do better to protect their customers from such events.
This fine provides an early insight into the thinking of the GDPR regulators who clearly hold the interestes of private individuals high in their sights. This is very encouraging and represents a welcome change in approach.
In this case, once the breach happened, the bank immediately put in place a comprehensive redress programme and provided significant resources to improve the deficiencies that left the bank vulnerable to attack in the first place. While this should already have been in place, the bank at least did something right, and following a very high level of co-operation with the FCA during the subsequent investigations, were granted a 30% credit for mitigation, plus a further 30% (Stage 1) discount under the FCA’s executive settlement procedure, but for which the fine would have been £33,562,400. While for many that would represent a huge amount of money, it is nowhere near the maximum fine that could be issued, particularly where the firm refuses to co-operate, and where liability might extend to the parent group.
This fine would suggest that the regulator is moving in the right direction. Looking at what might happen with the BA attack, it is clear that their security was lacking. However, it is notable that they were able to retain the forensic records of all database queries, which did allow them to run the queries on a copy dataset to establish exactly which customers were affected. As for Facebook, the EU GDPR regulator has indicated frustration at the lack of detail provided by the company to date. It will be interesting to see how the respective reglators approach these breaches in the fullness of time.
Dr Robert Duncan is a senior lecturer in Accounting and Finance at the University of Aberdeen Business School and is co-Chair for the Enterprise Security Workshop at the IEEE/ACM International Conference on Utility and Cloud Computing, as well as being a member of the Advisory Committee for the CLOUD COMPUTING series