Financial Conduct Authority Seeks £30+ Million Fine Against Tesco Bank for Cyberattack Data Breach

On September 24, Sky News reported that the United Kingdom Financial Conduct Authority (FCA) is seeking a fine of more than £30 million against Tesco Bank relating to the 2016 cyberattack on the bank’s online services.  At the time of the attack, the bank’s then-Chief Executive Officer, Benny Higgins, stated that “a systematic, sophisticated attack” had taken money from about 20,000 customer accounts.  Tesco Bank shortly thereafter refunded £2.5 million to about 9,000 customers, and is now contesting the proposed FCA fine.

Note: This action is only the latest in a series of enforcement actions that United Kingdom authorities have brought against various companies and entities in 2018 for data breaches or inadequate data protection:

  • September 2018: The United Kingdom Information Commissioner’s Office (ICO) imposed a £500,000 fine on Equifax Ltd. for “failing to protect the personal information of up to 15 million people in Britain during a 2017 cyber attack.”
  • July 2018: The ICO stated its intent to fine Facebook the maximum of £500,000 for two violations of the Data Protection Act 1998, stemming from Facebook’s alleged failure to protect Facebook users’ personal data that Cambridge Analytica harvested for political purposes.
  • June 2018: The ICO imposed a £250,000 fine on Yahoo! for a 2014 data breach that resulted in the theft of at least 500 million records.
  • May 2018: The ICO imposed a £120,000 fine on the University of Greenwich for a security breach in which 19,500 students’ personal data were placed online.

This particular report, however, is a timely reminder – as reports of other significant United Kingdom-related data breaches at British Airways, Dixons Carphone, and Ticketmaster have come to light in recent months — that companies doing business in the United Kingdom need to see that their data-security compliance programs focus not only on the General Data Protection Regulation (GDPR), but on other laws and regulatory regimes that mandate effective protection against data breaches.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s