Tesco, the supermarket chain that owns Tesco Bank, would face fines of over £1.9bn for this weekend’s hack if it occurred under the EU’s forthcoming General Data Protection Regulation (GDPR).
The GDPR will become law in less than 24 months and will dramatically crank up the data protection regulatory regime across Europe.
One of its key features is fines of up to four per cent of turnover for an organisation classified as a ‘data controller’ that suffers a security breach.
Furthermore, lawyers generally agree that, although poorly worded, the intention of the GDPR in the case of diversified organisations like Tesco is that the turnover of the whole organisation would be used as the basis for determining the fine.
Tesco Bank had a turnover of £955m in the year to the end of September 2016, but the company as a whole filed a turnover of £48.4bn. That would subject the company to a fine of as much as £1.94bn, with class-action lawsuits for breaches of data privacy on top of that thanks to the new rules under the GDPR.
“The GDPR text is not as clear as it could be, but most people think that is the intention [i.e. the whole group would be subject to the fine]. One German data protection authority has confirmed that that is its view too,” a data protection lawyer, who asked not to be named, told the INQUIRER.
The UK’s data protection authority, the Information Commissioner’s Office (ICO), may take a different attitude but it is, at the moment, staying tight-lipped.
It refused to be drawn on the Tesco Bank security breach, instead saying vaguely in a statement: “We’re aware of this incident and are looking into the details.
“The law requires organisations to have appropriate measures in place to keep people’s personal data secure. Where there’s a suggestion that hasn’t happened, the ICO can investigate and enforce if necessary.”
The UK’s National Crime Agency is leading a criminal investigation into the breach, according to a statement from the newly formed National Cyber Security Centre (NCSC).
“Given the investigation thus far and the evidence at hand, the NCSC is unaware of any wider threat to the UK banking sector connected with this incident,” it said.
Tesco Bank suspended all online transactions on Monday after customers started reporting discrepancies in their accounts over the weekend, including losses of up to £2,000.
The bank has promised to reimburse customers who have lost out as a result of the security breach, but it may take some time to restore the funds.
“Tesco Bank can confirm that, over the weekend, some of its customers’ current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently,” said Tesco Bank CEO Benny Higgins over the weekend.
The bank has admitted that as many as 40,000 accounts were hacked, and that money was stolen from 20,000 of them.
Article Courtesy of www.theinquirer.net
To find out how BLACKMORE RICOTECH can manage your secure IT disposal, get in touch. Call 0800 880 3678 today
If you would like to be kept up to date with changes to Data Protection or WEEE legislation, together with other important information that could affect your business, why not subscribe to our newsletter service? Rest assured, we will not share your information with anyone else and you can unsubscribe at any time. To stay informed, simply enter your email address and click the SUBSCRIBE button.