Rehearsing for cyber attacks - what does Tesco's fine teach us?

In November 2016 cyber attackers in Brazil used the authentic debit card details of some Tesco Personal Finance PLC customers to perform thousands of transactions in a 48 hour period. Now, in a Final Notice of 1st October 2018, the FCA has fined Tesco £16.4 million for what it saw as multiple failings that made the attack possible.

Tesco has admitted that the design of its debit cards was inadequate, as were its systems for payment authentication and fraud detection. The debit cards in question were not intended for contactless payments, but the authentication system did not decline such transactions when they were made. Such failings, most of which were unique to Tesco, are in breach of the FCA’s Principles of Business.

Beyond such technical issues, Tesco had received two prior industry-wide warnings of fraudulent contactless debit card payments in Brazil and indeed some of its own cards had been affected. The FCA concluded, therefore, that the attack was both foreseeable and preventable and Tesco had failed to take appropriate action.

However, perhaps of the greatest concern to other businesses facing similar cyber attack risks is the FCA’s finding that Tesco failed to respond to the attack itself ‘with sufficient rigour, skill and urgency.’ They identified a string of errors by Tesco’s response team that had enabled the fraudulent activity to continue longer than it should. There is a warning here for others in the FCA’s implication that the staff tasked with responding had not been sufficiently well rehearsed to be fully effective.

Having policies and procedures in place for such eventualities is not enough. Businesses are expected to have staff well drilled to implement them immediately and without error. Firms need to look at this as an essential aspect of job training, and be prepared to dry run a range of different scenarios designed specifically to put staff under pressure and reveal the areas where mistakes are likely. Only but such means, the FCA would contend, can businesses take reasonable steps to ensure that, in the event that there is a real attack, response will be swift and effective.