Following today's Tesco Bank breach fine, is GDPR going to have a positive impact for private individuals?

In this section
Following today's Tesco Bank breach fine, is GDPR going to have a positive impact for private individuals?
2018-10-01

In recent weeks, we have seen a number of large and successful cyber attacks against a range of companies across different market sectors. Witness the British Airways attack last month when 380,000 customers had their personal and credit card details stolen. The recent Facebook attack last week, exposing 50 million user accounts to fraud, is another example of the scale of the problem.

Today, Tesco Bank were fined a total of £16,400,000 by the Financial Conduct Authority (FCA) for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack that took place in November 2016, during which some 9,000 customers lost £2.26 million. It is clear that the FCA has taken a far more rigorous approach in dealing with this breach that would have been the case prior to the new European Union General Data Protection Regulation (GDPR) coming into force. Under previous UK regulations, the maximum fine would have been £500,000.

It is clear that the new regulator for GDPR, the FCA in the UK, will brook no nonsense when it comes to cyber breaches, and particularly in relation to Financial Services firms. The FCA strongly believes that all firms, and especially financial services firms, can and should do better to protect their customers from such events.

This fine provides an early insight into the thinking of the GDPR regulators who clearly hold the interestes of private individuals high in their sights. This is very encouraging and represents a welcome change in approach.

In this case, once the breach happened, the bank immediately put in place a comprehensive redress programme and provided significant resources to improve the deficiencies that left the bank vulnerable to attack in the first place. While this should already have been in place, the bank at least did something right, and following a very high level of co-operation with the FCA during the subsequent investigations, were granted a 30% credit for mitigation, plus a further 30% (Stage 1) discount under the FCA’s executive settlement procedure, but for which the fine would have been £33,562,400. While for many that would represent a huge amount of money, it is nowhere near the maximum fine that could be issued, particularly where the firm refuses to co-operate, and where liability might extend to the parent group.

This fine would suggest that the regulator is moving in the right direction. Looking at what might happen with the BA attack, it is clear that their security was lacking. However, it is notable that they were able to retain the forensic records of all database queries, which did allow them to run the queries on a copy dataset to establish exactly which customers were affected. As for Facebook, the EU GDPR regulator has indicated frustration at the lack of detail provided by the company to date. It will be interesting to see how the respective reglators approach these breaches in the fullness of time.

 

Dr Robert Duncan is a senior lecturer in Accounting and Finance at the University of Aberdeen Business School and is co-Chair for the Enterprise Security Workshop at the IEEE/ACM International Conference on Utility and Cloud Computing, as well as being a member of the Advisory Committee for the CLOUD COMPUTING series

Published by Business School, University of Aberdeen

Search Blog

Browse by Month

2024

  1. Jan There are no items to show for January 2024
  2. Feb There are no items to show for February 2024
  3. Mar There are no items to show for March 2024
  4. Apr
  5. May There are no items to show for May 2024
  6. Jun There are no items to show for June 2024
  7. Jul There are no items to show for July 2024
  8. Aug There are no items to show for August 2024
  9. Sep There are no items to show for September 2024
  10. Oct There are no items to show for October 2024
  11. Nov
  12. Dec There are no items to show for December 2024

2023

  1. Jan There are no items to show for January 2023
  2. Feb There are no items to show for February 2023
  3. Mar There are no items to show for March 2023
  4. Apr There are no items to show for April 2023
  5. May There are no items to show for May 2023
  6. Jun
  7. Jul There are no items to show for July 2023
  8. Aug There are no items to show for August 2023
  9. Sep There are no items to show for September 2023
  10. Oct There are no items to show for October 2023
  11. Nov There are no items to show for November 2023
  12. Dec There are no items to show for December 2023

2022

  1. Jan
  2. Feb There are no items to show for February 2022
  3. Mar
  4. Apr
  5. May There are no items to show for May 2022
  6. Jun There are no items to show for June 2022
  7. Jul There are no items to show for July 2022
  8. Aug There are no items to show for August 2022
  9. Sep
  10. Oct There are no items to show for October 2022
  11. Nov
  12. Dec There are no items to show for December 2022

2021

  1. Jan
  2. Feb
  3. Mar
  4. Apr
  5. May
  6. Jun There are no items to show for June 2021
  7. Jul There are no items to show for July 2021
  8. Aug There are no items to show for August 2021
  9. Sep
  10. Oct There are no items to show for October 2021
  11. Nov
  12. Dec

2020

  1. Jan
  2. Feb
  3. Mar
  4. Apr
  5. May There are no items to show for May 2020
  6. Jun There are no items to show for June 2020
  7. Jul
  8. Aug There are no items to show for August 2020
  9. Sep
  10. Oct
  11. Nov
  12. Dec There are no items to show for December 2020

2019

  1. Jan There are no items to show for January 2019
  2. Feb
  3. Mar
  4. Apr
  5. May
  6. Jun
  7. Jul
  8. Aug There are no items to show for August 2019
  9. Sep
  10. Oct
  11. Nov There are no items to show for November 2019
  12. Dec There are no items to show for December 2019

2018

  1. Jan
  2. Feb
  3. Mar
  4. Apr
  5. May There are no items to show for May 2018
  6. Jun
  7. Jul
  8. Aug
  9. Sep
  10. Oct
  11. Nov
  12. Dec There are no items to show for December 2018

2017

  1. Jan There are no items to show for January 2017
  2. Feb There are no items to show for February 2017
  3. Mar There are no items to show for March 2017
  4. Apr There are no items to show for April 2017
  5. May There are no items to show for May 2017
  6. Jun There are no items to show for June 2017
  7. Jul There are no items to show for July 2017
  8. Aug There are no items to show for August 2017
  9. Sep There are no items to show for September 2017
  10. Oct There are no items to show for October 2017
  11. Nov
  12. Dec