Botched TSB system upgrade causes data breach

TSB’s chief executive, Paul Pester, has said the bank is on its knees following last weekend’s chaotic data migration.

Mr Pester’s comments are in stark contrast to the optimism shown by the chairman of TSB’s new owner, the Spanish Banco Sabadell, earlier in the week. Josep Oliu boasted that, “With this operation, Sabadell demonstrates its capacity of technological management not only in national but also international integrations. The new Proteo4UK platform is an excellent starting point for organic business growth and improved TSB efficiency.”

Numerous column inches have been devoted to the incident and its fallout, but there’s one thing in particular that seems worth discussing in the context of information security: Mr Pester insisted on Tuesday that there had been “no data breach whatsoever”.

Anecdotal evidence suggests that he’s mistaken.

Confidentiality, integrity and availability

A data breach is a situation in which the confidentiality, integrity or availability of data is compromised. Typically, when an organisation suffers a breach, one of the three will be affected (more often than not confidentiality).

However, it seems that rather than avoiding a breach, TSB has, unfortunately, managed the dubious feat of pulling off a hat-trick: some customers reported being able to access others’ accounts (confidentiality); many accounts showed unexplained transactions and incorrect balances (integrity) and about half of customers couldn’t access their accounts at all (availability).

The Information Commissioner’s Office (ICO) has said: “We are aware of a potential data breach in relation to TSB and are making inquiries.”

When the General Data Protection Regulation (GDPR) comes into effect on 25 May, breached organisations face potential fines of up to €20 million (£17 million) or 4% of annual global turnover – whichever is greater – and legal action from aggrieved data subjects.

Cyber security and incident response management

Data breaches are almost inevitable nowadays. If you’re worried about suffering a breach – or the consequences of an incident at your organisation, the international standard ISO 27001 sets out a best-practice approach for an information security management system (ISMS) that can be followed by all organisations.

You can get practical advice on implementing the Standard on our ISO27001 Certified ISMS Foundation Training Course.

This one-day course explains how to make the most of ISO 27001 and provides a complete introduction to the key elements required to achieve compliance with the Standard.