Around 40,000 out of Tesco Bank current accounts saw suspicious activity over the weekend. Half discovered funds had been taken – possibly amounting to £20m spirited away in all – in a “systematic, sophisticated attack”. The bank’s creaking customer service department all but caved in as account holders took to the phones and then to social media to vent their increasing anger and dismay.
To add insult to injury, Tesco Bank obliviously posted a tweet on its account wishing customers a nice weekend.
The hack is has been labelled one of the worst data breaches experienced by a company in the UK, which TechWorld placied in its top 13.
As the wheels of investigation began turning, CEO Benny Higgins – quite rightly – faced the media in order to inform customers and try to wrestle the situation back in his company’s favour. Not an easy task, given the swirl of angry customers also wanting to do the same. The harshest critic would argue his performance on Radio 4’s flagship Today programme left a lot to be desired. This serves to underline fully that any crisis plan – data breach or otherwise – requires a media confident spokesman. Media training is key.
But Higgins deserves some credit for the speed of his reaction. If an organisation is spinning and buckling under the weight of crisis, the reaction of the CEO is all important. Faced with a share price drop, a tsunami of media headlines, quotes from quizzical politicians, and facing external investigations, Higgins was quick to put himself front and centre, announce the investigation and go on the record as to what the remedy would be (a quick refund). That is a textbook response – but one so many other companies get wrong.
Higgins still found the void of firm information on day one a problem as it was filled by credible – and disturbing – media speculation that the mass hack was the work of either Brazilian hackers or Russian crime gangs. Tesco Bank systems had been tested by hackers for months, we were informed. Higgins and his team now have a gargantuan task of restoring trust amongst existing customers and the wider market place. It won’t be the first time banks have fought to restore trust, of course.
What the Tesco Bank saga underlines is a very modern, tech-based crisis. While the FCA has claimed attacks on financial institutions have risen from five in 2014 to 75 so far in 2016, all companies from all sectors are at risk. A government 2015 information security breaches survey showed 90 per cent of large organisations and 74 per cent of SMEs reported a security breach, leading to an estimated total of £1.4bn in regulatory fines.
That is based on existing legislation. But firms need to look ahead to the future.
In two years’ time, new rules the European Union’s General Data Protection Regulation (GDPR) will introduce include fines for groups of companies of up to £18m or four per cent of annual worldwide turnover. This dwarves the current fine cap of £500,000. And the Payment Card Industry claimed the new law – which could also lead to expensive class action litigation across Europe – would leave UK businesses facing £122bn in penalties under the current breach run rate.
Respected tech publication Computing suggested that in the case of Tesco Bank, the wider turnover of its parent Tesco could mean a company fine as much as as £1.94bn – four per cent of group turnover – with class-action law suits for breaches of data privacy on top of that thanks to the new rules that the GDPR will introduce.
The most robust security systems in the world are clearly high on the shopping list for Tesco. But it should also be for SMEs, particularly those involved in online payments and tech. Any company which holds personal data of customers faces a fine. SMEs also need to embrace clearly thought plans on how to communicate with customers, which clearly legal and PR experts will assist with. This will encompass social media, wider media and direct communication. The regulator in the UK – the ICO – can enforce the notification of customers if it isn’t immediately done by the company which hold their data.
If customers are based in overseas jurisdictions, then laws in those countries also need to be adhered to. Customers there also need to be kept updated with news. Tesco Bank clearly had a reaction plan, which it did need to activate. Benny Higgins has tough work ahead of him to restore confidence. We will know in time what criticism can be levelled at the bank’s cybersecurity systems.
But it is a sharp reminder that the struggle against the hackers, whose threats and methods evolve constantly, is on-going for all sizes of enterprise. This means plans communicating effectively should also be a key part of any firm’s data breach strategy – and this is a war that can be won if planned for correctly.
Neil McLeod is crisis management expert at leading London PR agency PHA Media.