Tesco are the latest corporation to fall victim to a major cyber-attack.
It’s thought that 20,000 customer bank accounts were affected following an attack, leading to a full investigation with the National Crime Agency which is now well underway.
This is also thought to be the first time a bank has acted very publicly about such an attack. There has long been concerns about what organisations are keeping from us. in terms of cybersecurity issues…
Sophisticated cyber-attack
Tesco Bank’s chief executive, Ben Higgins, blamed the nature of the attack, calling it “a systematic, sophisticated attack”, with the possible undertone that there was little blame on their part.
This seems to be the trend that many companies are following who have suffered huge attacks – like TalkTalk and Yahoo. The logical thought process would be that, if companies were more proactive about cybersecurity, there would be less risk of a cyber-attack.
But then there is always the common argument from their side that they can’t always stop them all…
Thousands of customers affected
Mr Higgins knew “exactly” what the attack was, but did not go into further detail as it is part of a current criminal investigation. It is thought that 40,000 accounts experienced “suspicious transaction activity” and a further 20,000 of these accounts are thought to have had money taken out of the account.
These are big figures…
The chief executive said their focus was on protecting customer transactions. However, you could argue that their ‘protection’ is a little too late given that the damage has already been done…
Inadequate response?
Since the cyber-attack was revealed, Tesco have informed customers of the attack, stating that current account holders will not be able to make online transactions until they can “bring things back into control”. This will not stop customers from using their card at an ATM, make VISA transactions, or even stop the access of their online banking account.
This has not just caused customers distress with the thought of further fraudulent activity, but it has also been a massive inconvenience for many cannot perform online transactions until further notice.
Financial losses
The bank has pledged that any financial loss resulting from the attack will be borne by the bank. They state that customers are not at financial risk, yet, by having even some access to the bank accounts attacked, the cyber-hackers could potentially do further damage as well.
By stating that the customers are not at any financial risk, Mr Higgins has possibly given them a false sense of security, and you could argue that it’s quite a shaky statement. It’s almost like saying “once you have given the keys to your house to a burglar, you are not in any danger one they’ve been returned.”
Is that really a fair statement?
Mr Higgins has apologised for the “worry and inconvenience” that customers have had to face, but, at the same, is it enough for Tesco to just apologise and refund the stolen money? Tesco has arguably put their customers at risk of potential future attacks and fraud, and can you quantify such a risk?
Inadequate cybersecurity
There are clear arguments that Tesco did not do enough to protect their customers from the cyber-attack. Security expert James Maude said that, for Tesco to suspend online transactions – taken with the fact that so many customers were affected – clearly highlights the multiple problems with the website.
Was it secure enough? Did Tesco keep up with maintenance or website updates to keep their security at a maximum?
There are a number of unanswered questions at this stage…
Data protection responsibilities
One thing is for sure – companies like Tesco have an important responsibility to protect their customers from unlawful data processing; as is clear under the Data Protection Act. The Act lays out eight principles that companies, organisations and the government must follow in accordance with their customers’ data. If it is found that Tesco failed to adhere to these principles, they can be subject to strong penalties and possible fines.
It is not the first time!
It’s not the first time that Tesco has had some problems with their cybersecurity. In 2014, thousands of Tesco customers’ login details and passwords were accessed which led to a mass deactivation of accounts. You would have thought that, two years on, Tesco would have learnt their lessons. Tesco, as well as their customers, may have, unfortunately, just learned the hard way!