The massive November 2016 Tesco data breach has led to a ground-breaking fine issued in the sum of £16.4m.
The fine has been issued by the Financial Conduct Authority (FCA). It’s understood that this is the first time that the FCA has issued a fine for an online fraud incident.
The level of the fine is thought to reflect the severity of the Tesco data breach. This was an avoidable incident that arose from Tesco’s lax security. The incident led to customers of Tesco Bank losing millions of pounds in stolen funds.
About the November 2016 Tesco data breach
The November 2016 Tesco data breach occurred when criminals exploited vulnerabilities in Tesco’s security to generate “virtual cards”. An algorithm was to used to create new debit card numbers and the criminals then used the invented credentials to make payments and transfer funds out of genuine customer accounts.
In total, it’s understood that the criminals got away with some £2.26m
What the regulators said about the Tesco data breach
The regulators were far from complementary over the Tesco data breach. They described a number of errors and said that this was a “largely avoidable incident”.
In a comment, the FCA confirmed that the criminals exploited “deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team”.
The first fine of its kind
The Tesco data breach is said to have yielded the first fine from the FCA for an online fraud incident. The unauthorised transactions that the criminals managed to make led to a wave of outrage from customers targeted in the incident.
The fine of £16.4m reflects the severity of this breach, as well as the fact that it was totally avoidable.
It also leads us to consider how the FCA will be involved in future cybercrime incidents in conjunction with bigger GDPR fines. A company like Tesco could end up facing a huge fine from both the FCA and the Information Commissioner’s Office (ICO).
This is all on top of compensation claims that victims of a data breach are entitled to make.
The results is that incidents like the 2016 Tesco data breach could prove very costly for businesses moving forward. The cost of cybersecurity simply cannot be treated as anything other than a top priority for organisations.
The collapse of a business could end up revolving around a single cybersecurity incident.