Financial Conduct Authority Seeks £30+ Million Fine Against Tesco Bank for Cyberattack Data Breach

Jonathan J. Rusch

On September 24, Sky News reported that the United Kingdom Financial Conduct Authority (FCA) is seeking a fine of more than £30 million against Tesco Bank relating to the 2016 cyberattack on the bank’s online services.  At the time of the attack, the bank’s then-Chief Executive Officer, Benny Higgins, stated that “a systematic, sophisticated attack” had taken money from about 20,000 customer accounts.  Tesco Bank shortly thereafter refunded £2.5 million to about 9,000 customers, and is now contesting the proposed FCA fine.

Note: This action is only the latest in a series of enforcement actions that United Kingdom authorities have brought against various companies and entities in 2018 for data breaches or inadequate data protection:

  • September 2018: The United Kingdom Information Commissioner’s Office (ICO) imposed a £500,000 fine on Equifax Ltd. for “failing to protect the personal information of up to 15 million people in Britain during a 2017 cyber attack.”
  • July 2018: The ICO stated its intent to fine Facebook the maximum of £500,000 for two violations of the Data Protection Act 1998, stemming from Facebook’s alleged failure to protect Facebook users’ personal data that Cambridge Analytica harvested for political purposes.
  • June 2018: The ICO imposed a £250,000 fine on Yahoo! for a 2014 data breach that resulted in the theft of at least 500 million records.
  • May 2018: The ICO imposed a £120,000 fine on the University of Greenwich for a security breach in which 19,500 students’ personal data were placed online.

This particular report, however, is a timely reminder – as reports of other significant United Kingdom-related data breaches at British Airways, Dixons Carphone, and Ticketmaster have come to light in recent months — that companies doing business in the United Kingdom need to see that their data-security compliance programs focus not only on the General Data Protection Regulation (GDPR), but on other laws and regulatory regimes that mandate effective protection against data breaches.

Published by Jonathan J. Rusch

I'm a lawyer and consultant interested in corporate- and individual-compliance issues, and an inveterate part-time law professor; a former federal prosecutor, regulator, and anti-bribery and corruption compliance head at a global financial institution; and a (very minor) shareholder in Williams Grand Prix Engineering.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s