In a landmark cyber-security case, the UK Financial Conduct Authority (FCA) has fined Tesco Personal Finance plc (Tesco Bank) £16,400,000 after a cyber attack exposed weaknesses in the design of its debit card business and affected 8,261 personal current accounts.
It is the first time the FCA has fined a firm for a cyber-security breach.
The attack occurred some two years ago and preceded the introduction of the EU’s GDPR and Second Payment Services Directive (PSD2). While there is no indication that personal data of Tesco Bank’s customers was unlawfully accessed, similar events if they occurred today would potentially raise issues under GDPR or PSD2 around the design of a financial institution’s systems and result in the imposition of very substantial fines.
More generally, the fine is evidence that the FCA is pursuing one of the cross-sector priorities that the FCA referred to in its 2018-19 Business Plan of “Data security, resilience and outsourcing”. In its Business Plan the FCA noted that its work focused on ensuring that firms are more resilient to cyber-attacks and technology outages, so reducing the risk and frequency of disruptions and also ensuring that new and replacement technologies are resilient. Open banking and PSD2 raise important concerns in the context of mandatory obligations around access and the sharing of data.
The cyber attack took place in the early hours of a Saturday morning in November 2016. Hackers generated authentic Tesco Bank customers’ debit card numbers to enter into thousands of fraudulent debit card transactions presented as contactless MSD transactions. The hackers created virtual cards likely off the back of genuine debit card numbers and the use of algorithms, despite the fact that the debit cards weren’t designed for contactless use.
Legal Basis for the FCA’s Action
The FCA found that Tesco Bank violated Principle 2 of its Principles for Businesses, that firms must exercise due skill, care and diligence. Four specific areas were highlighted by the FCA where Tesco Bank could have prevented what it considered to be a “foreseeable” cyber attack:
- Security built into the design and distribution of products. Security should form an integral part of the design and distribution of products. In this case, the debit cards presented vulnerabilities to customers. Tesco Bank failed to take appropriate measures to prevent contactless transactions when the cards were not designed for this purpose.
- Appropriate authentication and fraud detection rules. The Bank was criticized for failing to put in place appropriate authentication and fraud detection rules. For example, some debit card transactions bypassed the fraud analysis management system because the system was programmed at an account level rather than card-based.
- Addressing foreseeable risks. The Bank was a member of and recipient of information from Visa and MasterCard regarding the operation of their respective card schemes. A year earlier Visa issued a warning concerning the types of fraudulent transactions similar to those perpetrated on Tesco Bank. Two months before the cyber attack MasterCard also sent information concerning similar transactions to Tesco Bank. The FCA considered that Tesco Bank failed to properly address either warning.
- Processes for responding to a cyber attack. The FCA found that Tesco Bank did not respond to the cyber attack with “sufficient rigour, skill and urgency” as it failed to follow its own written procedures and the correct rules in responding to the attack. There was poor crisis management and significant coding failures with customers' complaining that they were kept on hold for hours and received no communication from the firm.
A cure is as important as prevention?
Clearly, firms must focus on preventing security breaches. The Tesco case, however, highlights that a firm’s systems for responding to such incidents when they arise are as important.
According to the FCA, it took Tesco Bank 21 hours for its internal fraud strategy team to begin addressing the error in the algorithm permitting the fraudulent transactions. Not only was the number of affected customers increasing, but a series of unfortunate errors caused the attack to escalate:
- Tesco Bank’s internal fraud strategy team put a rule in place on their system which attempted to block transactions. The Bank, however, failed to monitor whether this was working appropriately (which it was not).
- The cyber attack occurred on a weekend and the relevant business incident manager was un-contactable because the rota for that weekend stated an incorrect telephone number.
- Once the internal fraud strategy team had identified that the majority of the suspicious transactions were coming from Brazil they blocked all those transactions and drafted another rule change. Again they didn’t monitor this, and the rule was ineffective because they had inputted the wrong currency code – they should have used Brazil’s country code, and it took the team close to four hours to realise this.
- When external fraud experts were called in they determined that Tesco Bank’s authorisation system was not capable of blocking the remaining fraudulent transactions because Tesco Bank had configured it at customer account level rather than at an individual debit card level.
On the plus side, Tesco Bank’s financial crime controls did prevent 80% of the unauthorised transactions, and following the attack the firm commissioned an independent expert report into the root cause and made improvements to its financial crime systems as a result. A consumer redress scheme was promptly established which refunded fees, charges and interest to customers, reimbursed customers for the direct losses they had incurred, and paid compensation to some customers for distress and inconvenience and consequential losses on an individual basis.
What does this say about future developments?
Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA opines that the lesson here is that “the standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack”. This chimes with the FCA’s cross-sector priority focus on resilience and data security. Firms should take account of the enhanced risks of enforcement in this area.
It took the FCA two years to conclude its investigation and in the meantime the PSD 2 and the GDPR have been implemented, significantly changing the backdrop and raising some interesting issues highlighted below.
The European Union’s Second Payment Services Directive (PSD2) is a key driver in the development of open banking. Established firms are now required to permit access to customer accounts and to share customer data. The introduction of new intermediaries and obligations to share data and access create new security risks.
PSD2 also provides for new Strong Customer Authentication (SCA) standards. A key failure in the Tesco case relates to the Bank’s authentication detection processes. In a context where firms are grappling with the new SCA requirements, this case suggests that firms need to be cautious.
Under PSD2 firms must establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks relating to the payment services they provide. Also, firms have to establish and maintain effective incident management procedures including for the detection and classification of major operational and security incidents. The case highlights both of these areas.
Data Protection Issues
The Bank has stated that the cyber attack did not result in a loss or theft of customer data. Nevertheless, the issues that arose in this case could have data protection implications and despite occurring pre-25 May, raise interesting considerations in terms of GDPR compliance.
Questions have already been raised round the appropriateness of the technical security measures that Tesco Bank had previously taken and whether or not the product had been designed with sufficient data protection considerations, and specifically, the provisions relating to privacy by design and default in mind.
It will be interesting to see how the ICO reacts to the attack – if at all. While the attack pre-dates GDPR, if the new regime were to be applied the fine could have been significantly higher than the discounted penalty finally imposed by the FCA and could reach up to 2% of the firm’s annual turnover. Whether or not the ICO chooses to act or indeed issue a statement, will be telling of how the regulators will work together going forward: in a world much more alert to data and cyber security issues and where hackers abound.
Sarah Pearce and Arun Srivastava are both Partners in the firm’s London office focusing, respectively, on data privacy and financial services matters. Lara Kaplan is an Associate in the firm’s Washington DC office, having recently joined there from the UK Financial Conduct Authority’s General Counsel Division.