Skip to content

Data breach sanctions imposed in October 2018

What has happened?

The start of October 2018 saw two noteworthy data breaches highlighted by significant regulatory sanctions, following investigations that each took almost two years to complete.

BUPA fined £175,000 for systemic data protection failures

BUPA Insurance Services Limited was fined £175,000 by the Information Commissioner’s Office for failing to have effective security measures in place to protect customers’ personal information. Between 6 January and 11 March 2017, a BUPA employee was able to extract the personal information of 547,000 international BUPA Global customers and offer it for sale on the dark web.

The employee accessed the information via BUPA’s customer relationship management system, known as SWAN. The system holds customer records relating to 1.5 million people. The employee sent bulk data reports to his personal email account and the compromised information, which included names, dates of birth, email addresses and nationality, was later offered for sale on the dark web.

BUPA was alerted to the breach on 16 June 2017 by an external partner who spotted customer data for sale. BUPA and the ICO received 198 complaints about the incident. The rogue employee was dismissed, and Sussex Police issued a warrant for his arrest.

The ICO’s investigation found that, at the time, BUPA did not routinely monitor SWAN’s activity log. BUPA was unaware of a defect in the system and was unable to detect unusual activity, such as bulk extractions of data. Failing to keep personal data secure is a breach of the Data Protection Act 1998.

It also revealed systemic failures in BUPA’s technical and organisational measures which also left 1.5 million records at risk for a long time.

FCA has imposed on Tesco Personal Finance plc (Tesco Bank) a financial penalty of £16,400,000

Tesco Bank was the subject of a cyber-attack in November 2016. The attackers most likely used an algorithm which generated apparently authentic Tesco Bank debit card numbers and, using those “virtual cards”, they engaged in thousands of unauthorised debit card transactions.

The attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and its Financial Crime Operations Team to carry out the attack.

Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the attackers £2.26 million. The attack did not involve the loss or theft of customers’ personal data.

Although Tesco Bank’s controls stopped almost 80% of the unauthorised transactions, the cyber-attack affected 8,261 out of 131,000 Tesco Bank personal current accounts. Personal current account holders received text messages which were likely to cause customers distress in the early hours of the morning. Some customers suffered embarrassment and inconvenience when they were unable to make payments using their debit cards.

Some experienced long call queues and did not always receive the help they needed from Tesco Bank’s call centre.

The FCA found Tesco Bank breached its Principle requiring firms to conduct business with “due skill, care and diligence”, and considers that Tesco Bank did not apply this principle to the design and distribution of its debit card, in configuring specific authentication and fraud detection rules, in taking action to prevent fraud risk, and in its response to the cyber-attack.

How Thistle can help you?

Thistle will continue to keep this area under review and will issue further updates where necessary. Please contact Thistle if you need assistance in relation to any of these issues or visit our cyber security page for more information on the service we provide in this area.