December 4, 2016

Tesco Breach Points to Cyber Security Lags at Banks Worldwide

Officials at U.K.-based Tesco Bank may wish to convey that the dust has settled regarding a stunning cyber attack in which thousands of patrons directly lost cold, hard cash.

But that certainly is not the case. In fact, the longer-term ramifications Tesco and its customers must now deal with are instructive to smaller, second-tier financial services firms globally. That’s because no one expects cyber attacks against banks to relent anytime soon.

Since the initial announcement of the Nov. 7 breach, Tesco has confirmed that money was compromised from around 9,000 of its 136,000 current accounts and the cost of reimbursing these lost funds would run to £2.5 million ($3.10 million).

Sidestepping huge fine

Tesco ought to consider itself lucky that the new EU General Data Protection Regulation does not kick in until May 2018, as those new rules would increase the maximum level of a government fine in this type of breach cases from £500,000 ($620,700) to over £2 billion ($2.5 billion).

Related: Rising EU breach fines make security a boardroom issue

Tesco has called in the U.K. National Cyber Security Centre to steer the investigation. And company officials assert that no customer personal data was compromised. There is, however, some skepticism over this comment due to Tesco’s practice of displaying bank patrons’ email addresses as default user names for accessing online accounts.

Vulnerabilities brushed off

Keep in mind that well prior to Tesco’s breach disclosure, several private cybersecurity companies highlighted a number of obvious vulnerabilities in the online security systems of second-tier U.K. retail banks. In some cases, security vendors approached banks with information about these vulnerabilities and were rebuffed—as if the security vendors were highlighting weaknesses in a pure effort to extract business from the banks.

At the moment, there is general concern in banking and security circles that Tesco appears to be treating this particular attack as completed, which is unwise.

If it later transpires that personal data was, indeed, compromised, the bank will have lost the opportunity to take quick, effective measures to help victims react to identity fraud scams that typically occur weeks or months after the actual breach.

Quick, thorough action needed

Customers need prompt notification and fraud remediation services put in place as soon as possible to protect themselves from these secondary crimes.

Tesco bank can be relatively pleased with the speed at which they were able to identify and resolve the primary crime in this case. However, Tesco and many banks in this sector of the U.K. market unfortunately continue to demonstrate a level of complacency with regard to secondary risks.

This attitude could potentially leave customers with exposed email, pin and memorable information data that can—and will—be used in other crimes.

Thomas Spier is London-based director of business development for CyberScout. This guest essay originally appeared on ThirdCertainty.com.

 

By Thomas Spier

SHARE THIS