Tesco Bank – a £16 million fine shows that paper is not enough

Hot on the heels of Equifax comes the Tesco Bank fine. Another known vulnerability, another hack, and this time it’s a fine of £16 million from the FCA. For those interested in planning for an effective response to a data breach, Tesco Bank provides a useful example.

By way of background: a team of fraudsters based in Brazil generated random numbers (based on a fixed number structure), used those numbers to bypass Tesco Bank’s security, and then moved money out of personal accounts. The attack was fast and furious: from start to stop the hack lasted 48 hours, fraudulent transactions peaked at 80,000 (Tesco’s systems stopping 90%), and the fraudsters made off with £2.26 million. Only 8,261 individuals were affected, but they had a torrid time: texts in the night from Tesco Bank notifying them of suspicious activity on their account, little or no response from Tesco Bank when they tried to get in touch, and the worry that their savings had been stolen. Tesco Bank’s reaction was poor and slow: in the end they had to get externals to fix the problem.

The FCA’s comments are instructive. Here are a few extracts:

While Tesco Bank’s cyber crime framework was appropriate, the framework is only as good as the individuals who work within it. Tesco Bank was vulnerable to the attack because individuals failed to exercise due skill, care and diligence to design and distribute the debit card, configure specific authentication and fraud detection rules, take appropriate action to prevent the foreseeable risk of PoS 91 fraud, and respond to the attack with sufficient rigour, skill and urgency.[emphasis added]


Having well documented crisis management procedures is an essential element of a bank’s (or any financial institution’s) cyber-resilience procedures. It is equally important to ensure that the individuals responsible for implementing crisis management procedures understand the procedures and have the appropriate training to understand how to use the policies and procedures and that banks rehearse these procedures using a variety of scenarios.“[emphasis added]

I sum this up as: you can have great written procedures, but if the relevant individuals don’t really own the problem, it won’t do you much good. And there’s the nub of the problem – most organisations think that once the procedures are written, the problem’s solved. In fact, nothing could be further from the truth. It’s not realistic to expect people to perform well in a crisis if the crisis comes round, say, once every three years.  You can’t become good at something if you only do it once every three years.

The FCA seems to suggest two answers to this. The first is to get people to respond to the attack with rigour, skill and urgency. If that means that organisations should hire better people, then that won’t fix anything on an industry basis. Most people are, by definition, average.

The FCA’s second answer is more useful: more training and, the bit I’ve emphasised, rehearsals. By which I mean, workshops, dry runs, war gaming and the like. If we assume that the breach, when it comes, will not come in the form we expect it (and this is the only safe assumption), then the key skill is the ability to think quickly and on your feet.  This is the “no plan survives first contact with the enemy” point. Along the same lines is Eisenhower (who turned out to be pretty good at crisis management): “plans are useless but planning is indispensable”.

So, in my view, the main lesson from Tesco Bank is – don’t rely on the paper. If you want to be ready, make sure you organise regular rehearsals, workshops, dry runs, war gaming and the like. Build some institutional savvy and resilience.

For those that are interested, I’ve set out below some additional lessons from the Tesco Bank experience, together with some context.

Lesson one: Early on in the hack, members of the Bank staff noticed unusual activity and sent an email to the Fraud Team inbox. Unfortunately, it was a weekend, and the Fraud Team don’t monitor their inbox on weekends. The end result is that the Fraud Team missed the opportunity to intervene early.

Do not assume that the communication is delivered until the recipient has confirmed receipt.

Lesson two: The Out Of Hours Team, concerned about the increasingly high volume of calls to the fraud prevention line, tried to raise a P1 Incident with Tesco Bank’s Service Desk. The Service Desk declined to raise the incident because the suspicious transactions did not involve IT matters.

Work as a team.

Lesson three: The Fraud Team finally got involved and coded a fix to the problem. They implemented the fix at 1:45am on Sunday morning. They then decided to go to bed and reconvene at 7am to monitor the effectiveness of the fix. Unfortunately, the code contained an error and didn’t work.

Don’t assume that your fix works until you’ve checked that it works.

Crisis management is 24/7: someone has to stay awake.

Lesson four: On one day, the fraud prevention telephone line received 3,887 telephone calls (against a forecasted 61). 4.4% (3,669) of the calls were abandoned by customers who tried to call but were placed on hold for too long.

If you haven’t workshopped it before, it won’t be alright on the night.