Written by Neil McLeod • Published 09th November 2016
Tesco’s recent banking crisis serves as a stark reminder of the threat which hackers pose to businesses of all sizes.
Details have now emerged that 9000 people’s accounts were affected, with £2.5 million stolen from these accounts in a “systematic, sophisticated attack”. The bank’s customer service department was overloaded as account holders vented their dismay over the phone and on social media.
Customers were further wounded as Tesco Bank’s twitter account innocently posed a tweet wishing its customers a nice weekend, oblivious to the chaos that was ensuing.
Good morning. I hope you've had a good weekend so far! Let us know if you have any banking queries – Nick
— Tesco Bank Help (@tescobankhelp) November 6, 2016
The hack is unlikely be the last in a long list of recent data breeches which are plaguing companies in the digital age. Some have labelled it as one of the worst data breaches experienced by a UK company, with TechWorld placing it in its top 13.
Worried customers will be relieved to hear that all stolen money has been refunded, and that normal banking services have finally been resumed. Yet the crisis has done lasting damage to the banks reputation, which is not nearly as easy to remedy.
Tesco Bank confirms full service has resumed for current account customers https://t.co/ZNURZRUskI
— Tesco Bank Help (@tescobankhelp) November 9, 2016
The crisis comes as further blow to Tesco’s image, which had already been severely damaged by the accounting scandal in 2014 which revealed the company had overstated its profits by over £250 million.
As the scale of the breach became clear, CEO Benny Higgins made the decision to face the media, attempting to get the situation back under his company’s control by engaging with angry customers. While this was inevitably a very difficult task, there is a feeling that his performance on Radio 4’s flagship Today program left a lot to be desired. Data breach or otherwise, any crisis management plan requires a highly confident spokesperson, underlining the importance of media training.
Yet Higgins does deserve praise for the speed of his reaction. As an organisation begins to buckle under the weight of a crisis, CEO’s must be prepared to put themselves at the epicentre of the earthquake to protect the company. In the face of damming media headlines, concerned politicians, an external investigation and a share price drop, Higgins was prepared to do just that. He quickly announced the investigation and assured customers that the situation would be remedied by a quick refund. While this is perhaps an expected response, it is also one that so many companies get wrong.
Higgins was suffering from a lack of information from the start, with suggestions from credible sources that the hack was the work of either Brazilian hackers or Russian gangs. We have been told that Tesco’s banking system was tested for months by hackers to test its resilience. Higgins now has his work cut out trying to restore trust to both existing customers and the wider market.
What the debacle illustrates is that modern technology brings real dangers to security, both for companies and society as whole. Cyber criminals cost the UK £11 billion last year alone, and the FCA says cyber-attacks on financial institutions has risen from 5 in 2014 to 75 so far in 2016. In addition, a 2015 survey by PwC showed 90% of large organisations and 74% of SME’s reported a security breach, which led to an estimated £1.4bn in regulatory fines.
In two years’ time, the current fine cap of £500,000 will be lifted by the European Union’s General Data Protection Regulation (GDPR), which will introduce fines for groups of companies of up to £18 million or 4% of annual worldwide turnover. This new law could be particularly damaging to UK businesses, leaving them with a bill of £122bn in penalties under the current breach rate per The Payment Card Industry.
Tech publication Computing says that due to the wider turnover of its parent company, Tesco Bank could receive a fine as large as £1.94bn- 4% of the group turnover. On top of that, the GDPR rules would include class-action law suits for breaches of data privacy.
While this will undoubtedly lead to large organisations like Tesco spending millions to bolster their cyber defences, it should also be high on the list of priorities for SME’s too. This is particularly pressing for tech companies and those which use online payments, as any company which holds personal data could face a substantial fine.
Companies must also develop robust, clearly thought-out strategies on how to communicate with customers, for which legal and PR experts would be of assistance. This will include social media, wider media and direct communications. Indeed, the UK regulator ICO can enforce the notification of customers if it is not immediately done by the company themselves.
Customers in overseas jurisdictions must also adhere to the laws in which they are based, and be kept updated with news.
Ultimately, Tesco Bank clearly did have an emergency plan in place which needed activating. We will know in time what criticisms can be levelled at its cyber-security systems, but for now we know that Benny Higgins has a tough job ahead of him as he attempts to restore confidence.
As a precaution we have notified some customers that we have blocked their cards to protect their account – https://t.co/m8zjO6BKgj
— Tesco Bank Help (@tescobankhelp) November 6, 2016
Ultimately, companies must prioritise effective communication as pivotal in their data breach strategies. Tesco’s woes are a bleak reminder that the struggle against hackers, whose threats and methods are constantly evolving, is an on-going battle for companies of all sizes. If planned for correctly, it is a war that can be won.