As a result of the COVID-19 pandemic, many more organisations have moved their business operations online.  From a cybersecurity and privacy perspective, this brings hackers and criminals greater opportunities to try to infiltrate the increased amount of devices and even deploy ransomware attacks. This is where malware is installed to block access to the user’s data by locking the computer or encrypting the data until the demanded ransom is paid. In some cases, the attackers also threaten to disclose the stolen data if the ransom is not paid.

Ransom attacks are on the rise, with the ICO reporting an increase from 13 ransomware incidents per month to 42 at its 2021 conference. In the U.S., the recent Kaseya ransomware attack affected nearly 200 companies, while the recent pipeline attack disrupted fuel supplies to the East Coast for several days, leading to fuel shortages.

According to a global survey conducted by Sophos, the average total cost of recovery from a ransomware attack has more than doubled, increasing from $761,106 in 2020 to $1.85 million in 2021. These remediation costs include business downtime, lost orders and operational costs. The average ransom paid is $170,404, yet only 8 per cent of organisations managed to recover all of their data after paying a ransom.

In 2020 and so far this year in 2021, the manufacturing, government, education, services and healthcare industries have been particularly hard hit by ransomware attacks. However, no industry is immune from such attacks and ransomware attacks are featured across all industries, including utilities, technology, logistics, transportation, finance and retail.

Continue Reading Ransomware is on the rise – what to do if you are faced with a cyber attack

As part of Reed Smith’s webinar series on crisis management, on Wednesday 6 November 2019, partners Tom Webley, Philip Thomas and John M. McIntyre delivered a webinar to clients on data breaches, cyber attacks, and potential responses to such incidents.

Our recent client alert focuses on the key themes arising out of the webinar and

The UK Financial Conduct Authority (FCA) announced at the start of last month that it had fined Tesco Bank £16.4 million for a cyber-attack that occurred two years ago.

In November 2016, 8,261 personal current accounts at Tesco Bank were compromised. Attackers obtained customers’ debit card details and entered into thousands of unauthorised transactions.

This is the first cyber-attack-related fine to be imposed on a UK bank by the FCA. The fine was reduced from the initial draft penalty of £23.5 million on the basis that Tesco Bank agreed to settle at an early stage, to be cooperative, and to compensate customers.

FCA’s Final Notice

The FCA set out its findings and enforcement action in its Final Notice dated 1 October 2018.

The fine was issued on the basis that Tesco Bank breached the FCA’s second Business Principle, which provides that a firm must conduct its business with due skill, care and diligence.

FCA Enforcement Director Mark Steward commented that the FCA has “no tolerance for banks that fail to protect customers from foreseeable risks”.

The FCA criticised Tesco Bank, saying that the cyber-attack was “largely avoidable”. The failings of Tesco Bank to conduct its business with due skill, care and diligence included:

  • issuing debit cards with sequential card numbers, meaning that hackers could more easily work out details of active cards;
  • configuring its authorisation system to check only that a card’s expiry date was in the future, and not that the date was correct;
  • taking action to block the specific type of fraudulent transaction for its credit cards, but failing to do the same for its debit cards; and
  • not responding to the attack with sufficient “rigour, skill and urgency”. This is because Tesco Bank ineffectively contacted its fraud strategy team – contrary to procedure, used an incorrect code to block the unauthorised transactions, and failed to monitor the rule’s operation and therefore notice that the code was not working properly.

The Final Notice concludes by acknowledging that Tesco Bank’s cyber-crime framework was appropriate but that it was, in fact, individuals within the bank who had failed to exercise the required due skill, care and diligence.

Tesco Bank has since changed its issuing practice and no longer issues cards with sequential card numbers. It has also changed its authorisation system, and now checks that the expiry date is correct.

Continue Reading Tesco Bank fined £16.4 million for cyber-security failings