Tesco Bank has just been fined £16.4m following a cyber-attack in 2016 in which customer accounts were compromised, leaving them vulnerable to theft.
The attack originally came to light when the supermarket giant spotted ‘suspicious transactions’ on 40,000 accounts. It was later estimated that money was stolen from just 20,000 customers, which was further reduced to 9,000. In response, Tesco Bank suspended parts of its online banking system. This was seemingly the first incident in which a UK bank reacted publicly to online criminal behaviour by suspending services.
The attack was said to be caused by weaknesses in Tesco Bank’s mobile applications, which were exploited by cyber criminals. Before the attack, the bank had been warned of the vulnerabilities by several security experts.
What have we learned from the attack?
In 2016 this kind of attack was relatively new. Just two years later, reports of wide-reaching data breaches are more commonplace.
The fine shows that organisations need to be prepared to respond to a data breach. Under the EU GDPR (General Data Protection Regulation), stricter breach reporting guidelines have been imposed, with organisations now required to submit a report within 72 hours of becoming aware of the breach.
How data breach preparation could have helped
Tesco Bank was criticised for failing to clearly communicate the scope and nature of the breach to those affected, with many customers being kept on hold for hours while trying to find out whether their account was included in the breach. The GDPR’s new reporting rules require organisations to “communicate the personal data breach to the data subject without undue delay” where this is likely to result in a high risk to the rights and freedoms of individuals.
How Vigilant Software can help
According to the UK government’s Cyber Security Breaches Survey 2018, 98% of UK businesses rely on some form of digital communication or service, and the majority hold personal data electronically.
The survey also found that 43% of all businesses – including 72% of large businesses – experienced cyber security breaches or attacks in the past 12 months, and more than half reported being affected. In such a hostile environment, meeting your data protection compliance obligations and following information security best practice have never been more important.
Vigilant Software aims to make data protection, cyber security, information security and risk management straightforward and affordable for all. Drawing on our years of experience developing and deploying risk management tools and services, our products eliminate the complexity of your cyber security implementation project.
Our tools – Compliance Manager, the Data Flow Mapping Tool and vsRisk Cloud – make it easy for you to identify your legal requirements, understand the data you process and conduct information security risk assessments in line with international best practice, respectively.
Want to know more?
For further information and to sign up for a demo, please click here.
*** This is a Security Bloggers Network syndicated blog from Vigilant Software Blog authored by Ingrid Then-Guiraut. Read the original post at: https://www.vigilantsoftware.co.uk/blog/are-organisations-learning-from-cyber-attacks/