It has been revealed today that Tesco has been fined £16.4m by UK watchdog for failing to protect customers for a data breach that took place two years ago and resulted in cyber attackers stealing £2.26m. At the time, hackers exploited vulnerabilities in Tesco Bank's debit card design and its financial crime controls.
Ross Brewer, VP & MD EMEA, LogRhythm, made the following commented,"This fine is a reflection of how serious and stringent today’s regulators are when it comes to data protection. In this case, the cyber criminals may have managed to steal £2.26m, but Tesco has come off much worse after being hit with a £16.4m fine.
“What’s frustrating is that this attack could have easily been avoided. Tesco did not address its defences or vulnerabilities until after the breach had taken place, making it too little too late – something I’m sure the company is regretting right now.
“Businesses have to take lessons from these breaches. Tesco is a big enough company that should survive a fine this high, but not every company will be in the same position. Attacks on retailers and banks no longer surprise anyone, but what is still incomprehensible is that so many of these companies are failing to identify threats from the offset.
“It is crucial that businesses have tools in place such as NextGen SIEM and User and Entity Behaviour Analytics (UEBA) that can flag unusual or anomalous activity as soon as it happens, giving businesses like Tesco the opportunity to immediately neutralise threats and avoid the embarrassing and damaging aftermath of a breach.”
Paul Farrington, director EMEA & APAC at CA Veracode added, "This penalty is a reminder of how critical it is that organisations consider their vulnerabilities and limit their exposure to fines. Financial losses due to non-compliance have the potential to outstrip what it would have cost to mitigate against a breach in the first place.
"There will be tougher penalties in the future, and UK businesses must reassess their IT infrastructure and secure their software, web applications and networks to help protect sensitive data and ensure compliance.”