It’s a rare thing for a bank to suffer a data breach, but around this time last year people were left fearful after Tesco suffered a massive security breach in their banking branch.
Reportedly, around 40,000 Tesco Bank accounts were affected with money taken from some 20,000 accounts.
At least £2.5 million was stolen in what was deemed as one of the biggest, successful attacks on a bank to have ever occurred, and potentially the very first, large-scale attack where money was directly stolen from a bank.
A costly breach
Tesco immediately suspended online banking activity and contactless payments in the wake of the breach, although with the breach being online, account holders were still able to use the chip and pin services and cashpoints. Tesco sent an alert to users to inform and warn them of the attack, and they also refunded customers that had money taken from their accounts.
As is common with such breaches, shares dropped, compensation claims were filed, and authorities investigated the breach. This kind of breach can see hefty fines from our regulators here in the U.K.
‘Systematic and sophisticated’ attack
The supermarket labelled this as a ‘systematic and sophisticated’ attack. The breach came only a couple of years after the 2014 Tesco.com attack where thousands of online users had their login names and passwords shared publicly.
Over 2,000 internet shopping accounts were affected in that breach, and personal data was compromised. It was suspected that the 2014 breach was a result of the 2013 breach where hundreds of Tesco club card holders had their loyalty schemes hacked and their usernames and passwords revealed.
For the recent data breach, The National Crime Agency got involved in investigations as well as the Financial Conduct Authority, and The Information Commissioners Office (ICO).
With the power to impose penalty fines of up to £500,000, undertakings and even custodial sentences, the ICO often come down hard on organisations who fail in their legal obligations to protect peoples’ data.