UK sees a fivefold increase in number of financial firms reporting data breaches last year

Banks saw a 25 per cent rise in data breaches in 2018 according to the Financial Conduct Authority, with some of the high street’s biggest names hit by hackers.

In total, 145 financial services companies were affected by data breaches last year, compared to 25 the year before.

Investment banks were the worst-hit, with 34 recording breaches up from three in 2017 and retail banks saw the largest rise in percentage terms. 

The figures from the FCA came from a Freedom of Information request by a law firm.

Just 25 financial firms were affected by data breaches in 2017, which has spiralled to 145 last year – investment banks and high street banks were both hit hard

Seven UK retail banks were forced to shut down or limit their systems last April after hacks that cost them hundreds of thousands of pounds to fix. 

Some of the biggest high street banks, including Barclays, Santander and Royal Bank of Scotland were affected.

Tesco Bank was also affected, and was fined £16.4million by the FCA in October last year following a cyber-attack in 2016 that saw £2.26million stolen from current accounts.

RELATED ARTICLES

Previous
1
Next

Revealed: Your most valuable personal details traded on the…


System that makes a name as important as your bank account…


Scambuster: Bank manager Melanie’s new job is to spot…


When WILL banks refund scam victims? They promised…

Share this article

Share

Richard Breavington, a partner at RPC and head of its cyber insurance and breach response team, said: ‘We know that the number of cybercriminals prosecuted under the Computer Misuse Act is below 100 annually.

‘When you compare that to the number of cyber-crimes being reported across all industries, you can see that it’s a very lucrative criminal enterprise’.

The number of cyber-attacks reported to the city regulator has steadily increased since 2015, but spiked last year. Four years ago the FCA was told of 24 cyber incidents.

The increase in the number of reported breaches may be partially explained by the introduction of new EU privacy laws that came into force in May. 

GDPR requires businesses to identify and report cyber-attacks within 72 hours or face fines of up to €20million or four per cent of global turnover.

Breavington added that companies ‘have done intensive training and made response plans that weren’t there before. GDPR has certainly influenced the reporting of breaches.’

In the first month after the introduction of GDPR, June 2018, the FCA saw 20 incidents reported by financial services companies, its highest monthly total.

One figure at a UK high street bank told the Financial Times a serious cyber incident was the biggest fear for boards because of the difficulty in preparing for it. 

They said: ‘If you think an economic downturn is coming you can load up on capital, if you think a bank run is coming you can load up on liquidity, you can’t do that here.’

A data breach can range from an accident such as sending an email containing customer data to the wrong address all the way through to a targeted cyber-attack.

Paolo Sartori, managing director of TransWorldCom, said: ‘While banks normally have excellent and secure cyber security, it is only as strong as the security measures of individual employees, as malicious emails can penetrate even the most robust protection measures.

‘In terms of ensuring that data is safe and secure for the future, there needs to be a concerted effort to educate individuals against the full scope of data threat.

‘Personal and professional cyber security go hand-in-hand, a chain is only is strong as its weakest link, and financial workers succumbing to fake emails for example leave us all exposed.

‘It is easy to separate consumer data from corporate or public cyber security but in reality we are all human and education against these kind of attacks is of the utmost importance.’

FCA rules require a bank to report any ‘material’ cyber incident, with problems considered ‘material’ if they lead to a significant loss of data, affect a large number of customers, or give any unauthorised access to their systems.