22
November 2016

Tesco Bank resumes normal service, but has the damage been done…?

Andy Harris

On Monday 14th, the British Bankers’ Association launched a series of events to teach banks how to improve their defences against cyber-attacks with the catchy title of CyRes Week. Unfortunately, it came a few hours too late for Tesco Bank Plc. The well-publicised breach recently saw around £2.5 million pilfered from 20,000 Tesco Bank accounts in one of the biggest cyber bank robberies in British history, with one customer suffering a £2,400 personal loss. Tesco have since refunded all of the stolen customer’s money and luckily for them, this didn’t occur after 25th May 2018 when GDPR will officially come into play because they wouldn’t just be receiving a regulatory slap on the wrist and a fine that’s probably less than the Christmas party budget; their senior management would be making a guest appearance the 10 o’clock news and the company would be coughing up £1.9 billion (4% of their annual turnover).

And it’s only going to get worse. Just ask the IRS, the FBI, payroll giant ADP, the Department of Homeland Security or hard drive maker Seagate – all struck by data breaches this year and all aware of just how costly they can be. In fact, the global cost of dealing with attacks is set to reach $2.1 trillion by 2019, according to Lloyd’s and Juniper Research. But it’s about more than just the financial blow; according to a report done by Forbes Insight and IBM, 46 percent of companies have suffered reputational damage due to a data breach, and in a Semafone/OnePoll survey, 86.55% of 2,000 respondents stated that they were “not at all likely” or “not very likely” to do business with an organisation that had suffered a data breach involving credit or debit card details. Tesco Bank’s operating income has accounted for as much as a quarter of Tesco’s total in some years, so there’s a lot at stake – they tried to build a bank that challenged the Big Four based on the reputation of the Tesco brand but now, how can you trust them? Who can blame consumers now for being reluctant to switch from the Big Four?

“Unprecedented”…really?

The National Cyber Security Centre (NCSC), a new government body, are trying to reassure the British public that everyone’s working hard to understand the nature of the Tesco breach, but no answers yet. Reported cyber-attacks on financial institutions in Britain have actually increased from just 5 in 2014 to more than 75 so far this year, according to data from the Financial Conduct Authority, so when the NSCS’s financial regulator described the Tesco data breach as “unprecedented”, that’s worrying because it shouldn’t have been. Smaller banks like Tesco are more vulnerable to attacks because they don’t have JP Morgan’s, for example, $600 million annual IT security budget, but lawmaker Andrew Tyrie, chair of Parliament’s powerful finance committee, called the banks and regulators out and said that they – Tesco included – have done too little to improve cybersecurity: according to Ian Mann, chief executive of cyber-security service ECSC, Tesco Bank’s method of access for customers is “weak for this type of system”.

It isn’t yet clear how thieves broke into Tesco Bank, pulled the funds or even exactly how much was stolen but what’s most concerning is the access of 20,000 accounts simultaneously, which Greg Salyards, principal consultant at Identity Automation, says indicates it’s an inside job.

“We can’t carry on like this…”

That’s what Andrew Tyrie, chairman of parliament’s Treasury select committee, said he’d be writing to regulators and Tesco Bank’s CEO to find out what went wrong. The BBC quoted the CEO Benny Higgins as describing the theft as a “systematic, sophisticated attack”, Cloud computing means that hackers have far more points of entry, and organisations need to be proactive and put better security in place to guarantee the safety of data – multiple layers of control and close monitoring of access to protect from the inside and stop theft on the way out instead of hoping for the best with a patchwork perimeter.

Tesco is not the first to be targeted, and it won’t be the last. No organisation is safe, and it makes you wonder who’s next before businesses get to grips with security – Metro Bank? Apparently, no customer data was compromised during the Tesco attack, but that’s no comfort; such an attack could damage a customer’s credit history or max out their medical coverage. Consumers may think it will never happen to them but when it does, they won’t be forgiving because they’ll have taken personal measures to protect their own data and will be less than impressed when they find out that the reason you didn’t was simply because unlike them, your company wasn’t keeping up with the IoT times. Everyone needs to upgrade and those who don’t will suffer irreparable damage to their reputation, and subsequently, their bottom line.