On September 24, Sky News reported that the United Kingdom Financial Conduct Authority (FCA) is seeking a fine of more than £30 million against Tesco Bank relating to the 2016 cyberattack on the bank’s online services. At the time of the attack, the bank’s then-Chief Executive Officer, Benny Higgins, stated that “a systematic, sophisticated attack” had taken money from about 20,000 customer accounts. Tesco Bank shortly thereafter refunded £2.5 million to about 9,000 customers, and is now contesting the proposed FCA fine.
Note: This action is only the latest in a series of enforcement actions that United Kingdom authorities have brought against various companies and entities in 2018 for data breaches or inadequate data protection:
- September 2018: The United Kingdom Information Commissioner’s Office (ICO) imposed a £500,000 fine on Equifax Ltd. for “failing to protect the personal information of up to 15 million people in Britain during a 2017 cyber attack.”
- July 2018: The ICO stated its intent to fine Facebook the maximum of £500,000 for two violations of the Data Protection Act 1998, stemming from Facebook’s alleged failure to protect Facebook users’ personal data that Cambridge Analytica harvested for political purposes.
- June 2018: The ICO imposed a £250,000 fine on Yahoo! for a 2014 data breach that resulted in the theft of at least 500 million records.
- May 2018: The ICO imposed a £120,000 fine on the University of Greenwich for a security breach in which 19,500 students’ personal data were placed online.
This particular report, however, is a timely reminder – as reports of other significant United Kingdom-related data breaches at British Airways, Dixons Carphone, and Ticketmaster have come to light in recent months — that companies doing business in the United Kingdom need to see that their data-security compliance programs focus not only on the General Data Protection Regulation (GDPR), but on other laws and regulatory regimes that mandate effective protection against data breaches.