Tesco Bank's cyber attack: a series of unfortunate events?

Answer

The Financial Conduct Authority (FCA) has fined Tesco Personal Finance plc £16,400,000. In a nutshell, it found that the bank failed to exercise due skill, care and diligence in protecting its current account holders against a cyber attack that took place in November 2016. As a result, Tesco breached Principle 2 of the FCA’s principles for business by failing to act with due skill, care and diligence. 

What happened?

What can only be described as a series of unfortunate events led to the losses that resulted from the breach.

When the cyber attack occurred, it seems the attackers used an algorithm that generated authentic debit card numbers and used them to engage in unauthorised card transactions. The attack did not involve loss or theft of personal data. The incident took place over 48 hours and the attackers amassed over £2 million.

The bank became aware of the attack when its system started to ask customers to call about suspicious activity, but a series of errors meant that the bank’s financial crime operation team did not contact the fraud strategy team for 21 hours, during which time nothing was done to stop the attack, which continued. The fraud strategy team identified the primary channel and source of the attack and put in place a rule to block the transactions, but failed to monitor it – and in fact the rule was ineffective because of a mistake in it. The bank put right the mistake, but residual transactions continued. It called in experts, who uncovered another coding error in the bank’s original system.

Once senior management became aware of the incident, immediate action was taken by blocking certain transactions and this had the effect of stopping the fraudulent transactions. Senior management updated customers regularly and did much to return them to their previous financial position.

What did the FCA say?

The FCA said the bank had failed to protect customers from “foreseeable risks”. It had had a very specific warning that it did not address until it was too late. The cyber attack was able to take place because the bank did not exercise sufficient skill, care and diligence in:

• the design and distribution of its debit card: it never intended the cards to be used for contactless MSD transactions, yet allowed that use. It also issued cards with sequential PAN numbers, which made it easier for fraudsters to predict numbers;

• configuring authentication and fraud detection rules: the system did not require checking the exact date of card expiration and the fraud analysis management system was set at account level and not card level, so that cards that had been replaced did not go through the system;

• taking appropriate action to prevent the foreseeable risk of fraud: Visa and MasterCard had warned members about this particular risk, but the bank acted only to block the transactions on its credit cards, not its debit cards; and

• responding to the attack with enough rigour, skill and urgency: exemplified by the failures to alert the correct teams in the right way, the coding errors and the lack of monitoring, together with unclear guidance on when to invoke crisis management procedures.

The FCA found that, although the bank’s controls stopped around 80% of the unauthorised transactions, the attack affected over 8,000 accounts – and the customers who were affected received texts in the middle of the night, faced embarrassment when unable to use their cards and long queues when calling the bank for help. The charges and interest the bank applied led to many unpaid direct debits.

What did the bank do right?

The bank provided a high level of cooperation to the FCA and that, together with a redress programme that was comprehensive and fully compensated customers, and the fact that it stopped a significant percentage of unauthorised transactions, meant that what would have been a fine of over £33 million was reduced by 30% for mitigation credit and a further 30% discount was applied for early settlement. The FCA commented that the bank independently commissioned expert reports, which it acted upon. It accepted responsibility for the incident and agreed to participate in a symposium to discuss the lessons it learned.

A series of unfortunate events?

So what would Lemony Snicket say?

Look away: The bank did not take sufficient account of financial crime risks in designing its debit cards in the first place and particularly not when it decided to enable them for contactless MSD transactions.

Look away: The authentication system did not require checking the exact date of card expiry, again making it easier for the attackers to get through the authentication process. 

Look away: Transactions involving debit cards previously replaced were not programmed into the fraud analysis system.

Look away: The bank failed to act on warnings from both Visa and Mastercard.

There's nothing but horror and inconvenience on the way: Almost everything that could have gone wrong went wrong, once the customer texts started. Teams followed the wrong procedures, tried to contact other teams in the wrong way and were unable to contact a key individual because of an incorrect number. There was an error in the rule intended to stop the fraud continuing, exacerbated by not monitoring the rule to see if it worked, and then the discovery of an error in the original underlying coding. Customers were unable to use their cards or get through on the phone.

So, look away: In cyber attacks, speed is key. The FCA criticised Tesco Bank not only for having failed properly to take account of financial crime risk in its product design and to act on notifications of concern, but also for the amount of time it took to uncover and address the problems, largely due to failings in the crisis management arrangements. 

But the message is still that it pays to co-operate. FCA is sending a clear message that those who hold their hands up to problems and do everything within their power not only to remediate the breach but also to do as much as they can to ensure it does not happen again will see the merits of their actions. It is interesting that the final notice did not in any way criticise senior management and, indeed, praised it for the actions it took once it became aware. One has to ask, though, who was responsible for the financial crime prevention procedures that failed to take account of the risks at the outset?

Emma Radmore is a legal director at Womble Bond Dickinson.