| Recurring |
unknown |
(a) The software failure incident having happened again at one_organization:
- The article does not mention any previous similar incidents happening again within Tesco Bank or with its products and services. Therefore, there is no information available to suggest that a similar incident has occurred again at Tesco Bank [75555].
(b) The software failure incident having happened again at multiple_organization:
- The article does not provide information about similar incidents happening again at other organizations or with their products and services. Hence, there is no evidence to suggest that this specific type of incident has occurred at multiple organizations [75555]. |
| Phase (Design/Operation) |
design |
(a) The software failure incident in the article was primarily attributed to design factors. The Financial Conduct Authority mentioned that cyber attackers exploited deficiencies in Tesco Bank's design of its debit card and in its financial crime controls, leaving account holders vulnerable to the cyber attack [75555]. Additionally, the FCA's executive director for enforcement, Mark Steward, emphasized that the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started, indicating a failure in addressing design-related vulnerabilities [75555]. |
| Boundary (Internal/External) |
within_system |
(a) within_system: The software failure incident at Tesco Bank was primarily due to deficiencies in Tesco Bank's design of its debit card and in its financial crime controls, which left account holders vulnerable to a cyber attack [75555]. Additionally, the article mentions that once senior management at Tesco Bank became aware of the attack, they responded quickly to stop the fraudulent transactions and deployed significant resources to address the issue, indicating an internal response to the incident. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident at Tesco Bank was primarily due to non-human actions, specifically cyber attackers exploiting deficiencies in Tesco Bank's design of its debit card and in its financial crime controls. The attackers were able to net 2.26 million pounds over 48 hours due to these vulnerabilities [75555].
(b) Human actions also played a role in the incident as the Financial Conduct Authority fined Tesco Bank for failing to protect account holders from a "foreseeable" cyber attack. The FCA mentioned that Tesco Bank did not properly address a specific warning about the attack until after it had already started, indicating a failure in human actions in addressing the cybersecurity risks [75555]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident reported in Article 75555 was primarily due to contributing factors originating in software rather than hardware. The Financial Conduct Authority fined Tesco Bank for failing to protect account holders from a cyber attack that exploited deficiencies in Tesco Bank's design of its debit card and financial crime controls. The FCA specifically mentioned that the cyber attackers exploited weaknesses in Tesco Bank's systems, indicating a software-related failure [75555]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident in this case was malicious. The article mentions that cyber attackers exploited deficiencies in Tesco Bank's design of its debit card and in its financial crime controls, leading to a cyber attack that netted the attackers 2.26 million pounds [75555]. The Financial Conduct Authority fined Tesco Bank for failing to protect account holders from this "foreseeable" cyber attack, indicating that the failure was due to contributing factors introduced by humans with the intent to harm the system. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The software failure incident at Tesco Bank was primarily due to poor decisions rather than accidental decisions. The Financial Conduct Authority (FCA) fined Tesco Bank for failing to protect account holders from a "foreseeable" cyber attack, which was attributed to deficiencies in the design of its debit card and financial crime controls [Article 75555]. The FCA emphasized that these deficiencies left customers vulnerable to the cyber attack, which could have been largely avoided. Additionally, the FCA's executive director for enforcement, Mark Steward, mentioned that the attack was the subject of a specific warning that Tesco Bank did not properly address until after the attack had already started, indicating poor decision-making in addressing the risks [Article 75555]. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident at Tesco Bank was attributed to deficiencies in the design of its debit card and financial crime controls, which left account holders vulnerable to a cyber attack [75555]. This indicates a failure due to development incompetence, as these deficiencies were likely introduced due to a lack of professional competence in designing secure systems.
(b) The incident was described as a largely avoidable incident that occurred over 48 hours, suggesting that the failure was not accidental but rather a result of known vulnerabilities that were not adequately addressed in a timely manner [75555]. |
| Duration |
temporary |
The software failure incident at Tesco Bank was temporary. The cyber attack that exploited deficiencies in Tesco Bank's design of its debit card and financial crime controls occurred over 48 hours, during which cyber attackers were able to net 2.26 million pounds [75555]. The incident was described as largely avoidable, indicating that specific circumstances contributed to the failure rather than it being a permanent issue inherent in all circumstances. |
| Behaviour |
value, other |
(a) crash: The software failure incident in the article is not described as a crash where the system loses state and does not perform any of its intended functions [Article 75555].
(b) omission: The software failure incident in the article is not described as an omission where the system omits to perform its intended functions at an instance(s) [Article 75555].
(c) timing: The software failure incident in the article is not described as a timing issue where the system performs its intended functions correctly, but too late or too early [Article 75555].
(d) value: The software failure incident in the article is described as a failure due to the system performing its intended functions incorrectly, leading to vulnerabilities that were exploited by cyber attackers [Article 75555].
(e) byzantine: The software failure incident in the article is not described as a byzantine failure where the system behaves erroneously with inconsistent responses and interactions [Article 75555].
(f) other: The software failure incident in the article is related to deficiencies in the design of the debit card system and financial crime controls of Tesco Bank, which left account holders vulnerable to a cyber attack, resulting in a significant financial loss [Article 75555]. |