Supermarket chain Tesco would face fines of more than £1.9bn under the EU's forthcoming General Data Protection Regulation (GDPR), which would use the entire company's revenues as the baseline for fines of up to four per cent of turnover.
The GDPR will become law in less than 24 months and will dramatically crank up the data protection regulatory regime across Europe.
One of its key features is fines of up to four per cent of turnover for an organisation classified as a 'data controller' that suffers a security breach.
Furthermore, lawyers generally agree that, although poorly worded, the intention of the GDPR in the case of diversified organisations like Tesco is that the turnover of the whole organisation would be used as the basis for determining the fine.
Tesco Bank had a turnover of £955m in the year to the end of September 2016, but the company as a whole filed a turnover of £48.4bn. That would subject the company to a fine of as much as £1.94bn, with class-action lawsuits for breaches of data privacy on top of that thanks to the new rules under the GDPR.
"The GDPR text is not as clear as it could be, but most people think that is the intention [i.e. the whole group would be subject to the fine]. One German data protection authority has confirmed that that is its view too," a data protection lawyer, who asked not to be named, told V3.
The UK's data protection authority, the Information Commissioner's Office (ICO), may take a different attitude but it is, at the moment, staying tight-lipped.
It refused to be drawn on the Tesco Bank security breach after V3 sister site Computing filed a series of questions, except to issue the following statement: "We're aware of this incident and are looking into the details.
"The law requires organisations to have appropriate measures in place to keep people's personal data secure. Where there's a suggestion that hasn't happened, the ICO can investigate and enforce if necessary."
Tesco Bank suspended all online transactions over the weekend after customers started reporting discrepancies in their accounts, including reported losses of up to £2,000. The bank has promised to reimburse customers who have lost out as a result of the security breach, but it may take some time to restore the funds.
"Tesco Bank can confirm that, over the weekend, some of its customers' current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently," said Tesco Bank CEO Benny Higgins over the weekend.
The bank has admitted that as many as 40,000 accounts were hacked, and money stolen from 20,000 of them. One customer claimed that a 'cloned' debit card was used in Brazil.
Customers who find themselves short as a result of the security breach have been told to visit a Tesco supermarket to get emergency funds.
Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.
Why does Facebook store "my entire call history with my partner's mum", asks developer who requested his Facebook data
Facebook database included text-message metadata - despite not using Facebook Messenger for SMS
Before Ocado could start selling the technology it had developed to other retailers, it had to tear down and rebuild its own monolithic architecture
Successful attack could result in harm to patients and financial loss, warns NHS governing body
Guccifer 2.0 claimed to be a lone Romanian hacker - until a schoolboy error gave him, her or them away