According to a Sky News exclusive, the FCA is set to clobber Tesco Bank with a fine of £30m over the data breach in late 2016, where £2.5m was snaffled from thousands of its customer’s current accounts. Except it turned out it wasn’t; only fifty accounts were actually plundered, not for very much, and it was all sorted.
So how does this warrant such a huge fine? It’s hard to see, but the first two theories I have are that Sky News has got of wrong, or the FCA has gone seriously bonkers. If they’re touching miscreant institutions for £600K per customer inconvenienced, RBS and NatWest are toast.
So what’s it all about? Well we don’t know what Tesco Bank actually did. My best guess is that someone cloned cards and cashed out at ATMs. That’s the easiest way, and there is no evidence this was widespread or sophisticated. And its interesting that only current accounts were hit; not credit – which is where the big money is in retail banking fraud.
But that’s just a guess. Why would the FCA be so exercised about some card fraud?
There is not shortage of other theories. There is the usual criticism of the patent company and its insecure non-banking systems. The usual unpatched server card is played. Yes, everyone knows Tesco self-checkouts use Windows XP. There ate criticisms of the lack of protective monitoring. Lack of AV. But this comes from commentators whose employer’s business is selling such things. There is talk of an inside job, which is possible but they didn’t take them for much if it was.
So if the FCA is really that cross with Tesco Bank, why?
The question no one is asking is why Tesco Bank announced a major breach, affecting so many people? Here I’m stacking guesses, but just for fun…
If I’m right about it being ATM bandits, could it be that staff investigating found something horrible and hairy, and jumped to the conclusion it was behind it? They did the right thing, and told everyone about the vulnerability, but the black hats hadn’t. The FCA would have been unimpressed, regardless of the consequences, and whacked them according.
If I’m right, it’s a bit rough on Tesco Bank, fined as a result of being robbed. But this is all one guess based on another. The truth may be still stranger.