Tesco Bank criticised for its “lax” security system

Following what was dubbed as the largest cyber-attack in U.K. banking history, Tesco Bank has a lot to answer for in terms of the ‘suspicious activity’ of 40,000 bank accounts, which led to thousands being successfully hacked, and money going missing.

What originally was thought to be a hack into 20,000 customer accounts was revised down to 9,000, in which £2.5 million was stolen.

NCSC and NCA

Not that it makes the situation any better, but Tesco Bank has reimbursed all stolen funds from the cyber-hack. The National Cyber Security Centre (NCSC) is now on board to investigate what happened and make sure this sort of thing doesn’t happen again.

The NCSC is an authoritative voice on information security in the U.K. who aims to ensure that people are safer online, and to ensure that the critical national infrastructure of the U.K. is good.

The NCSC along with the National Crime Agency are looking into the cyber-attack.

Cybersecurity expert thoughts…

Cybersecurity experts like Ian Mann said the size of the breach indicates that Tesco’s internal system was hacked. Mann criticises Tesco’s system by stating that the method of access for its customers was “weak for this type of system”.

The reason for this is because the username is your email address by default, and you are only required to enter certain digits from your numeric PIN, according to reports. By only requiring limited digits, it could make it almost impossible to encrypt the PINs. Without an encrypted PIN, this could have given easy access to the hacker(s) by revealing all usernames and passwords.

Another cyber-security company Cyberint said that warning signals were posted on several dark web forums, with hackers/members commenting on Tesco Bank being a “cash milking cow” and “easy to cash out”. The forum detailed how members were discussing a “brute forced” technique to access the bank accounts, and this was apparently tested on thousands of login and passwords until one worked.

There are no substantial links between the stolen money and these claims, but it’s very coincidental. It’s hard to pinpoint one answer to the data breach, as the Bank has declined to comment as it is part of an ongoing criminal investigation.

Tesco Bank ignored warning signals

There seems to have been multiple warning signals as a second cybersecurity company said it had warned Tesco of some problems related to its mobile apps four months prior to the incident. With Tesco being a ‘second-tier’ bank, this may have been difficult for them to develop coherent mobile security software when compared with the top tier banks like Natwest and Barclays.

Financial penalties

As a company, Tesco Bank seemingly failed to adhere to the Data Protection Principles stemming from the Data Protections Act – that organisations have a duty to protect their customers’ data from data breaches. By failing to do so, Tesco will probably be penalised by the Information Commissioner’s Office (ICO). The ICO has the authority to impose fines of up to £500,000. Following a revamp of EU data protection rules, I’m sure Tesco will be writing a hefty cheque for its failure to protect their customers’ data, as there is one estimate that Tesco will be fined nearly £2 billion under the new General Data Protection Regulation.

Lesson learned

This is a word of warning for all companies and organisations that cybersecurity should be at the forefront of everyone’s mind. If companies are proactive about their cybersecurity, they wouldn’t have to face the disastrous consequences. I’m sure this will be a lesson learned for Tesco Bank to take data protection more seriously.

Sources:

https://www.gov.uk/government/news/new-national-cyber-security-centre-set-to-bring-uk-expertise-together

http://www.theregister.co.uk/2016/11/10/tesco_bank_breach_analysis/

http://www.bbc.co.uk/news/technology-37974776

“Adobe’s $1 million fine” – Adobe Systems has been fined for the security breach in 2013

Broxtowe Borough Council’s Data Breach