BISCUIT SELLER Tesco, the supermarket chain that owns Tesco Bank, would face fines of over £1.9bn for this weekend's hack if it occurred under the EU's forthcoming General Data Protection Regulation (GDPR).
The GDPR will become law in less than 24 months and will dramatically crank up the data protection regulatory regime across Europe.
One of its key features is fines of up to four per cent of turnover for an organisation classified as a 'data controller' that suffers a security breach.
Furthermore, lawyers generally agree that, although poorly worded, the intention of the GDPR in the case of diversified organisations like Tesco is that the turnover of the whole organisation would be used as the basis for determining the fine.
Tesco Bank had a turnover of £955m in the year to the end of September 2016, but the company as a whole filed a turnover of £48.4bn. That would subject the company to a fine of as much as £1.94bn, with class-action lawsuits for breaches of data privacy on top of that thanks to the new rules under the GDPR.
"The GDPR text is not as clear as it could be, but most people think that is the intention [i.e. the whole group would be subject to the fine]. One German data protection authority has confirmed that that is its view too," a data protection lawyer, who asked not to be named, told the INQUIRER.
The UK's data protection authority, the Information Commissioner's Office (ICO), may take a different attitude but it is, at the moment, staying tight-lipped.
It refused to be drawn on the Tesco Bank security breach, instead saying vaguely in a statement: "We're aware of this incident and are looking into the details.
"The law requires organisations to have appropriate measures in place to keep people's personal data secure. Where there's a suggestion that hasn't happened, the ICO can investigate and enforce if necessary."
The UK's National Crime Agency is leading a criminal investigation into the breach, according to a statement from the newly formed National Cyber Security Centre (NCSC).
"Given the investigation thus far and the evidence at hand, the NCSC is unaware of any wider threat to the UK banking sector connected with this incident," it said.
Tesco Bank suspended all online transactions on Monday after customers started reporting discrepancies in their accounts over the weekend, including losses of up to £2,000.
The bank has promised to reimburse customers who have lost out as a result of the security breach, but it may take some time to restore the funds.
"Tesco Bank can confirm that, over the weekend, some of its customers' current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently," said Tesco Bank CEO Benny Higgins over the weekend.
The bank has admitted that as many as 40,000 accounts were hacked, and that money was stolen from 20,000 of them. µ
INQ's sister site Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.
It's an onomatopoeic week for Google
Hope that free lunch was delicious
It's like Bixby being terrible never happened
Notch to be outdone