[Ed. Note: Post updated October 2018.] Tesco Bank is a well known UK bank. Created with the help of the Royal Bank of Scotland, Tesco today enjoys 7 million customer accounts. Confidence in the bank was badly shaken this week when the bank announced that thousands of accounts were the victim of a cyberhacking attack. New evidence now suggests that the incident may have been state sponsored.
The story first broke on Monday, November 7th when the bank announced on social media that many accounts were illegally accessed.
“Over the weekend, some of our customers’ current accounts have been subject to online criminal activity. Our first priority is to protect your account so we have taken the precautionary measure of temporarily suspending online transactions from your account, this includes contactless transactions… We are very sorry for the inconvenience and will let you know as soon as we resume normal service.”
The bank told regulators on Monday that as many as 40,000 accounts had been accessed and that money had been taken from half of them. On Tuesday the bank reduced that number and said that 9,000 account had lost money. The bank says it has reimbursed account holders the equivalent of $3.15 USD.
Now a House of Commons’ Treasury Select Committee Member of Parliament claims the cyberhacking incident may be state sponsored.
Britain’ newly formed National Cyber Security Centre and the National Crime Agency are investigating Neither law enforcement agency would confirm a link to the crime being state sponsored but have confirmed the cyberhacking incident was extremely sophisticated. It appears that money from customer accounts was sent to Spain and Brazil.
A story in the Guardian reveals that last year Tesco Bank’s IT director was championing bank staff using their own computers for work. Called BYOD or “bring your own device,” bankers could use their own devices for work purposes. If true, that practice exponentially increases the chance that an unsuspecting employee could have had his or her computer compromised.
Tesco Bank Fined £16.4 – Bank Did “Too Little, Too Late”
On October 1, 2018, Tesco Bank was fined $21.4 million (USD equivalent) by Britain’s Financial Conduct Authority.
According to a press release from the Authority,
“Cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack. Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26m.”
A spokesperson for the authority said of the fine,
‘The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.”
In a shocking revelation, regulators say operations personnel waited 21 hours before alerting the bank’s fraud strategy team. That delay allowed thousands of additional customers to lose money in their accounts.
In setting the fine, the government acknowledged that Tesco immediately implemented new security protocols after the attack. Regulators believe that the bank is less susceptible to an attack today. The bank also reimbursed customers for their losses.
What most disturbs us is that Visa had warned Tesco Bank of this very attack. They knew such an attack was possible and had adequate time to prepare – over one year! Yet they were caught completely unprepared and then botched their response once the attack was underway.
While Tesco may be more ready for an attack, regulators in the US and Europe continue to learn of hundreds of data breaches each week. As hackers grow more sophisticated, we don’t expect these numbers to decrease in the near future.
Cyberhacking Opportunities for Bank Whistleblowers – FIRREA
Regardless if the criminals behind this latest cybersecurity breach were teenage hackers, members of an organized crime ring or state sponsored thieves, banks have a duty to protect customer’s data and accounts. In the U.S., cybersecurity oversight is the responsibility of the Federal Reserve, the Comptroller of the Currency and the FDIC.
Current regulations require banks to have robust cyberhacking protections in place and to promptly report any cyber theft attempts. In the Tesco Bank case, it appears that the bank immediately reported the intrusion and loss of funds. That allowed authorities to quickly investigate. Unfortunately, we know of incidents where banks have covered up hacking incidents to avoid embarrassment, regulatory fines and a loss of customer confidence.
When a bank fails to follow robust cybersecurity protocols or doesn’t report hacking incidents, the bank could be liable under the Financial Institutions Reform Recovery and Enforcement Act (FIRREA).
FIRREA can pay whistleblowers who report cyberhacking violations involving banks subject to U.S. regulation awards of up to $1.6 million.
Collecting an award involves filing a sealed declaration to the Justice Department. Violations are usually investigated by the above banking agencies, FBI and Financial Crimes Enforcement Network.
Are the awards real? To date our banking whistleblower clients have recovered over $100,000,000.00!
For more information, visit our cybersecurity information page or give us a call. All inquiries are protected by the attorney – client privilege and kept confidential. Contact attorney Brian Mahany at or by telephone at (414) 704-6731 (direct).
Mahany Law – America’s Cyberhacking – Cybersecurity Whistleblower Lawyers