DATA BREACHES IN BANKS IN UK

1. HSBC

HSBC Bank suffered an incident of data breach in October 2018 that involved unnamed hackers
gaining access to their customers' account details such as bank statements and transaction history
as well as personal information of customers such as names, dates of birth, and home addresses.
It had notified all the affected customers about the breach and offered such customers one year of
credit monitoring and identify theft protection service.1 The data breach affected only the U.S.
operations.2

1.1. THE PERPETRATORS

HSBC specified that the breach was the result of a credential stuffing attack. 3 This is when
hackers try usernames and password combinations leaked in data breaches at other companies,
hoping that some users might have reused usernames and passwords across services. 4 “An attack
tool which is becoming increasingly prevalent is the use of account checkers, which take lists of
already-compromised login credentials and tests them against certain targeted sites.”5

The information accessed is estimated to include the customer’s full name, mailing address,
phone number, e-mail address, date of birth, account numbers, account types, account balances,
transaction history, payee account information, and statement history where available.6

1.2. EXTENT OF DANGER

HSBC specified that it was not sure about the number of accounts that were compromised or if
any money was stolen from them.7 The bank did not reveal the exact number of customers that
were affected. They stated that the malefactors stole the details of “less than 1 per cent” of some

1
https://www.teiss.co.uk/hsbc-data-breach-customers-affected/
2
https://www.bankinfosecurity.com/hsbc-bank-alerts-us-customers-to-data-breach-a-11685
3
https://blueliv.com/resources/white-papers/Finance_whitepaper_ENG.pdf, pg 14.
4
https://www.zdnet.com/article/hsbc-discloses-security-incident/
5
Supra note 3.
6
https://www.teiss.co.uk/hsbc-data-breach-customers-affected/
7
https://www.reuters.com/article/us-hsbc-cyber/hsbc-discloses-customer-accounts-hacked-at-its-u-s-bank-
idUSKCN1NB24M
1.2 million US customers. This means that 12,000 Americans might have had their personal
information fall into the hands of cyber thieves.8

1.3. REMEDY PROVIDED

“The bank enhanced its authentication process for HSBC Personal Internet Banking, adding an
extra layer of security. HSBC offered a complimentary subscription to Identity Guard, a credit
monitoring and identity theft protection service. Identity Guard not only provides essential
monitoring and protection of credit data, but also alerts customers to certain activities that could
indicate potential identity theft.”9

2. LLOYD

Lloyd Banking group suffered a 48-hour long online attack in January, 2017 by cybercriminals
who attempted to block access to 20 million UK accounts.10

2.1. THE PERPETRATORS

The attack has been estimated to be launched by an international criminal gang which has
previously targeted a public cloud services provider in 2014. 11 The digital services of Lloyds
Banking Group were hit by severe DDoS Cyber Attack where a business website is swamped
with heavy traffic in an attempt to disable it. When the servers start feeling the traffic fatigue,
they shut down triggering service disruption on the entire network.12

2.2. THE EXTENT OF DANGER

The attack affected Lloyds and its Halifax and Bank of Scotland brands13. A number of
customers were left temporarily unable to use services such as checking their balance or sending

8
https://securityboulevard.com/2018/11/week-45-cyberattack-digest-2018-hsbc-google-play-the-bank-of-england-
and-others/
9
HSBC NOTICE
10
https://www.theguardian.com/business/2017/jan/23/lloyds-bank-accounts-targeted-cybercrime-attack
11
https://www.cybersecurity-insiders.com/cyber-attack-disrupts-online-services-of-lloyds-bank/
12
Id.
13
https://www.computerweekly.com/news/450411443/Lloyds-Bank-hit-by-massive-DDoS-attack
payments. No customers suffered any financial loss.14 TSB, which was carved out of Lloyds in
2013 but still uses its technology platform, was also hit.15
2.3. REMEDY PROVIDED

“The engineers blocked all internet traffic from overseas locations where the attacks seemed to
be coming from, halting the disruption at least temporarily before the attackers switched their
activity elsewhere.”16 The information technology department ‘geo-blocked’ the source of
attack.17 This drops a portcullis over the server launching the attacks, but also stops legitimate
customer requests from that area too. The cybercriminals then move to another server, and the
geo-blocking game begins again.18

3. TESCO

In November 2016, Tesco Bank was attacked by a Brazil-based cyber-attack lasting for 48 hours,
in which attackers exploited vulnerabilities in Tesco Bank’s procedures for issuing debit cards,
enabling them to generate “virtual cards” with authentic card numbers, in order to steal £2.26
19
million. “One in 15 of the bank’s 136,000 current accounts were affected.” 20 Personal current
account holders started receiving automatic text messages which asked them to call Tesco Bank
and inquire about suspicious activity. This is how the Bank was informed of the cyber attack.21

3.1. THE PERPETRATORS

The Tesco Bank attack is estimated to have occurred via its online banking system which
affected 20,000 accounts. The stolen money was then used to buy thousands of goods from
14
https://www.ft.com/content/50318b28-e098-11e6-9645-c9357a75844a
15
Id.
16
https://www.bbc.com/news/business-38715909
17

18
https://www.hitc.com/en-gb/2017/01/23/lloyds-bank-accounts-targeted-in-huge-cybercrime-attack/
19
https://www.clearygottlieb.com/-/media/files/alert-memos-2018/key-lessons-from-the-fcas-16-4-million-fine-of-
tesco-bank-for-failings-around-cyber-attack.pdf, pg 2
20
https://www.thisismoney.co.uk/money/saving/article-3930118/Tesco-Bank-hack-happened-protect-account.html
21
https://www.paulhastings.com/docs/default-source/PDFs/stay-current-tesco-banka-precedent-cyber-security-
fine.pdf, pg 1
 22
worldwide retailers using the contactless mobile-phone payment method. Although very little
is known about the perpetrators of the attack, some customers have stated that their money was
moved to companies in Brazil, the United States and Spain, suggesting that the perpetrators may
be operating in these countries.23 “Tesco shares dipped by 1.28 percent to 199.90 pence in early
London trading, as London stocks rose by 1.3 percent.”24

3.2. ERRORS COMMITTED BY TESCO

The U.K. Financial Conduct Authority highlighted the following errors committed by Tesco25-

1. The design and distribution of its debit cards posed vulnerabilities to the customers and
Tesco did not take appropriate cautionary steps when it decided to limit use of contactless
transactions with its debit card. Tesco Bank debit cards were not designed for use with
contactless transactions—however, Tesco Bank failed to disable this function so that
cards could still be used in the case of transactions presented as contactless transactions.
2. Failure to configure specific authentication and fraud detection rules: some debit card
transactions bypassed the fraud analysis management system because the system was
programmed at an account level rather than card-based.
3. Tesco Bank failed to take appropriate action to prevent the foreseeable risk of fraud. It is
a member of and recipient of information from Visa and MasterCard regarding the
operation of its card schemes. A year earlier Visa sent Tesco Bank a warning concerning
the exact fraudulent transactions that took place. Two months before the cyber attack
MasterCard also sent information concerning similar transactions to Tesco Bank and
Tesco Bank failed to address either warning. Tesco bank didn’t respond to the cyber
attack with “sufficient rigour, skill and urgency” as it failed to follow its own written
procedures and the correct rules in responding to the attack. There was poor crisis

22
https://internationalbanker.com/banking/hacking-tesco-bank-changing-nature-bank-robbery/
23
https://internationalbanker.com/banking/hacking-tesco-bank-changing-nature-bank-robbery/
24
file:///C:/Users/Hello/Downloads/2016-11-defrauded-uk-tesco-bank-hack.pdf, pg 1.
25
https://www.paulhastings.com/docs/default-source/PDFs/stay-current-tesco-banka-precedent-cyber-security-
fine.pdf , pg 2-3.
 management and significant coding failures, with customers complaining that they were
kept on hold for hours and received no communication from the firm.
3.4. FINE

“Tesco was fined with £16,400,000 after a foreseeable cyber attack exposed the weaknesses in
the design of its debit card business and affected 8,261 personal current accounts. It is the first
time the FCA has fined a firm for a cyber-security breach. Tesco Bank’s fine was discounted by
30% because it cooperated extensively at an early stage with the FCA in its investigation and put
in place an effective consumer redress scheme.” 26

26
https://www.paulhastings.com/docs/default-source/PDFs/stay-current-tesco-banka-precedent-cyber-security-
fine.pdf, pg 1.