If the recent security breach of Tesco Bank accounts had happened under General Data Protection Regulations (GDPR), Tesco would be facing fines of over £1.9bn.
Supermarket chain Tesco, owners of Tesco Bank, admitted to a serious security breach following complaints of discrepancies in customers’ accounts. Criminals hacked 40,000 accounts and stole money from 20,000. Tesco Bank suspended all online transactions while it investigated.
General Data Protection Regulation
The GDPR will increase the data protection rules across the EU when it comes into force in two years’ time. It will replace the existing EU Data Protection Directive in May 2018. The regulations include fines of up to 4% of turnover, for ‘data controller’ organisations that experience a security breach. The entire organisation’s turnover is expected to be used to calculate the fine.
Despite the UK’s Brexit vote earlier this year, the Government says it still plans to implement the new GDPR.
Any organisation that processes personal information must register with the Information Commissioner’s Office (ICO), under The Data Protection Act 1998. It is a criminal offence for organisations not to register.
Tesco’s fine under GDPR
In the year to the end of September this year, Tesco Bank had a turnover of £955m, but the whole company’s turnover was £48.4bn. So under the new GDPR rules, it would’ve faced fines of more than £1.94bn, with lawsuits for breaches of data privacy on top.
Risk of more data breaches
Customers are being warned that there could be more attempts by criminals to steal their money and to be alert for any phone calls or emails that say they are from Tesco Bank. Tesco Bank says it does not ask customers for their full Pin over the phone, and does not email or text links to direct customers to their online account.
Tesco bank has promised to refund customers who have lost money in the security breach.