Tesco would face fines of up to £1.9bn under GDPR for Tesco Bank breach

Entire Tesco group would be in the firing line - with demands for more payouts on top from class-action lawsuits

Tesco, the supermarket chain that owns Tesco Bank, would be facing fines of just over £1.9bn if the kind of security breach it admitted to over the weekend were to occur under the EU's forthcoming General Data Protection Regulation (GDPR).

The GDPR will become law in less than two years and will drastically crank up the data protection regulatory regime across the European Union. One of its key features includes fines of up to four per cent of turnover for an organisation classified as a 'data controller' that suffers from a security breach.

Furthermore, while poorly worded, lawyers generally agree that the intent of the GDPR in the case of diversified organisations like Tesco is that the turnover of the whole organisation would be used as the basis for determining the fine.

Tesco Bank had a turnover of £955m in the year to the end of September 2016, according to Tesco's latest accounts, but the company as a whole filed a turnover of £48.4bn. That would subject the company to a fine of as much as £1.94bn - four per cent of group turnover - with class-action lawsuits for breaches of data privacy on top of that thanks to the new rules that the GDPR will introduce.

"The GDPR text is not as clear as it could be, but most people think that is the intention (ie: the whole group would be subject to the fine). One German data protection authority has confirmed that that is its view too," said one data protection lawyer, one of the leading legal authorities on the GDPR, who asked not to be named.

The UK's data protection authority, the Information Commissioner's Office (ICO), may take a different attitude but it is, at the moment, staying tight-lipped.

It refused to be drawn on the Tesco Bank security breach after Computing filed a series of questions, except to issue the following statement: "We're aware of this incident and are looking into the details. The law requires organisations to have appropriate measures in place to keep people's personal data secure. Where there's a suggestion that hasn't happened, the ICO can investigate, and enforce if necessary."

Tesco Bank suspended all online transactions over the weekend after customers started reporting discrepancies in their accounts, including reported losses of up to £2,000. The bank has promised to reimburse customers who have lost out as a result of the security breach - but it may take some time to restore the funds.

"Tesco Bank can confirm that, over the weekend, some of its customers' current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently," admitted Tesco Bank CEO Benny Higgins over the weekend.

The bank has admitted that as many as 40,000 accounts were hacked, and money stolen from 20,000 of them. One customer claims that a 'cloned' debit card was used in Brazil. According to Mail Online, the customer had never had a debit card with the bank because the account was used purely for savings, but that an attempt was made on his account via a fraudulent card in a transaction traced to Rio de Janeiro, Brazil at 9am on Sunday.

Customers who find themselves short as a result of the security breach have been told to visit a Tesco supermarket to get emergency funds.

Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.