Following today's Tesco Bank breach fine, is GDPR going to have a positive impact for private individuals?

Following today's Tesco Bank breach fine, is GDPR going to have a positive impact for private individuals?
2018-10-01

In recent weeks, we have seen a number of large and successful cyber attacks against a range of companies across different market sectors. Witness the British Airways attack last month when 380,000 customers had their personal and credit card details stolen. The recent Facebook attack last week, exposing 50 million user accounts to fraud, is another example of the scale of the problem.

Today, Tesco Bank were fined a total of £16,400,000 by the Financial Conduct Authority (FCA) for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack that took place in November 2016, during which some 9,000 customers lost £2.26 million. It is clear that the FCA has taken a far more rigorous approach in dealing with this breach that would have been the case prior to the new European Union General Data Protection Regulation (GDPR) coming into force. Under previous UK regulations, the maximum fine would have been £500,000.

It is clear that the new regulator for GDPR, the FCA in the UK, will brook no nonsense when it comes to cyber breaches, and particularly in relation to Financial Services firms. The FCA strongly believes that all firms, and especially financial services firms, can and should do better to protect their customers from such events.

This fine provides an early insight into the thinking of the GDPR regulators who clearly hold the interestes of private individuals high in their sights. This is very encouraging and represents a welcome change in approach.

In this case, once the breach happened, the bank immediately put in place a comprehensive redress programme and provided significant resources to improve the deficiencies that left the bank vulnerable to attack in the first place. While this should already have been in place, the bank at least did something right, and following a very high level of co-operation with the FCA during the subsequent investigations, were granted a 30% credit for mitigation, plus a further 30% (Stage 1) discount under the FCA’s executive settlement procedure, but for which the fine would have been £33,562,400. While for many that would represent a huge amount of money, it is nowhere near the maximum fine that could be issued, particularly where the firm refuses to co-operate, and where liability might extend to the parent group.

This fine would suggest that the regulator is moving in the right direction. Looking at what might happen with the BA attack, it is clear that their security was lacking. However, it is notable that they were able to retain the forensic records of all database queries, which did allow them to run the queries on a copy dataset to establish exactly which customers were affected. As for Facebook, the EU GDPR regulator has indicated frustration at the lack of detail provided by the company to date. It will be interesting to see how the respective reglators approach these breaches in the fullness of time.

 

Dr Robert Duncan is a senior lecturer in Accounting and Finance at the University of Aberdeen Business School and is co-Chair for the Enterprise Security Workshop at the IEEE/ACM International Conference on Utility and Cloud Computing, as well as being a member of the Advisory Committee for the CLOUD COMPUTING series

Published by Business School, University of Aberdeen

Comments

There are currently no comments for this post.

Your Comment

Search Blog

Browse by Month

2019

  1. Jan There are no items to show for January 2019
  2. Feb
  3. Mar
  4. Apr
  5. May
  6. Jun
  7. Jul
  8. Aug There are no items to show for August 2019
  9. Sep There are no items to show for September 2019
  10. Oct There are no items to show for October 2019
  11. Nov There are no items to show for November 2019
  12. Dec There are no items to show for December 2019

2018

  1. Jan
  2. Feb
  3. Mar
  4. Apr
  5. May There are no items to show for May 2018
  6. Jun
  7. Jul
  8. Aug
  9. Sep
  10. Oct
  11. Nov
  12. Dec There are no items to show for December 2018

2017

  1. Jan There are no items to show for January 2017
  2. Feb There are no items to show for February 2017
  3. Mar There are no items to show for March 2017
  4. Apr There are no items to show for April 2017
  5. May There are no items to show for May 2017
  6. Jun There are no items to show for June 2017
  7. Jul There are no items to show for July 2017
  8. Aug There are no items to show for August 2017
  9. Sep There are no items to show for September 2017
  10. Oct There are no items to show for October 2017
  11. Nov
  12. Dec