| Recurring |
one_organization, multiple_organization |
(a) The software failure incident having happened again at one_organization:
- The article mentions that Tesco Bank faced a "systematic, sophisticated attack" resulting in money being stolen from accounts [49585].
- It is suggested that unless banks adopt best practices and improve their security measures, it will only be a matter of time before another similar episode occurs at another bank [49585].
- The incident at Tesco Bank raises concerns about the security practices and measures in place within the organization [49585].
(b) The software failure incident having happened again at multiple_organization:
- The article mentions that the consumer group Which? criticized some of Britain's biggest banks, including Halifax, Bank of Scotland, Lloyds, Santander, and TSB, for failing to invest in security systems to protect customers from fraudsters [49585].
- Which? found that these banks did not offer "two-factor authentication" at login, despite having the technology to do so, indicating a lack of robust security measures across multiple organizations [49585]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be attributed to the system development and procedures to operate or maintain the system. In the case of the Tesco Bank attack, experts suggested that the bank's move from using card readers to mobile phone verification might have introduced vulnerabilities. Cliff Moyce, a financial security expert, mentioned that the customer losses at Tesco Bank were likely caused by a failure of its IT security and data protection processes, rather than an outside hack like in the TalkTalk incident [49585].
(b) The software failure incident related to the operation phase can be linked to factors introduced by the operation or misuse of the system. The use of personal devices for work, known as "bring your own device" (BYOD), was highlighted as a potential risk factor. Cliff Moyce mentioned that the trend of BYOD, if not implemented with good policies and practices, could lead to breaches of the UK Data Protection Act and introduce malware into a secure network [49585]. |
| Boundary (Internal/External) |
within_system, outside_system |
The software failure incident at Tesco Bank can be analyzed in terms of the boundary of the failure incident:
(a) within_system: The incident at Tesco Bank was likely due to contributing factors that originated from within the system. The failure was attributed to a "failure of its IT security and data protection processes" rather than an external hack [49585].
(b) outside_system: On the other hand, there are suggestions of potential external factors contributing to the incident, such as the possibility of an "economic hack" involving an offshore employee offering customer data [49585]. Additionally, the incident raised concerns about the security practices of banks in general, indicating a broader industry issue beyond Tesco Bank's internal system [49585]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident occurring due to non-human actions:
The incident at Tesco Bank, where £2.5m was stolen from around 9,000 current account holders, was described as a "systematic, sophisticated attack" [49585]. It is suggested that the fraudsters may have gained debit card details or found a vulnerability in the bank's app, indicating a failure in the IT security and data protection processes rather than an outside hack [49585]. Additionally, the possibility of an "economic hack" involving an offshore employee offering customer data for financial gain is being investigated [49585].
(b) The software failure incident occurring due to human actions:
The incident at Tesco Bank raises questions about the bank's security practices and the decision to move from using card readers to mobile phone verification for login and transactions [49585]. The bank's former chief information officer championed a "bring your own device" (BYOD) policy, which could introduce risks such as breaches of data protection laws and the potential for introducing malware into the network [49585]. The article also mentions that some banks, including Tesco Bank, have been criticized for not investing in security systems that would better protect customers from fraudsters, indicating potential shortcomings in human decisions regarding security measures [49585]. |
| Dimension (Hardware/Software) |
software |
(a) The articles do not provide specific information about the software failure incident occurring due to hardware-related factors.
(b) The software failure incident at Tesco Bank was primarily attributed to contributing factors originating in software. The incident involved a "systematic, sophisticated attack" resulting in money being stolen from accounts, leading to the suspension of online banking for all customers [49585]. The incident highlighted potential vulnerabilities in the bank's IT security and data protection processes, indicating a failure in software-related security measures. Additionally, the shift from using card readers to mobile phone verification raised concerns about the security of the software systems in place [49585]. |
| Objective (Malicious/Non-malicious) |
malicious, non-malicious |
(a) The software failure incident at Tesco Bank was considered malicious as it was described as a "systematic, sophisticated attack" resulting in money being stolen from accounts [49585]. The incident was believed to be a result of a failure of IT security and data protection processes rather than an outside hack, indicating malicious intent to harm the system [49585].
(b) On the non-malicious side, the incident also highlighted potential vulnerabilities in the bank's security practices, such as the shift from using card readers to mobile phone verification for login and transactions [49585]. Additionally, the use of personal devices for work (BYOD) was mentioned as a potential risk factor, indicating unintentional contributing factors that could have led to the failure [49585]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions, accidental_decisions |
(a) The software failure incident at Tesco Bank was related to poor decisions made regarding security measures. The bank initially issued customers with card readers for secure authentication but later moved to mobile phone verification, where it sends a code to the handset. This decision to switch from card readers to mobile phone verification was criticized by experts as a poor decision that potentially contributed to the security breach [49585]. Additionally, the decision to implement a solution that allowed customers to receive a security code to their mobile phone instead of using a card reader was questioned, indicating a poor decision in balancing security and convenience for online banking [49585].
(b) The software failure incident at Tesco Bank was also related to accidental decisions or unintended consequences. The bank's move towards mobile phone verification instead of using card readers was driven by customer feedback that they wanted something more portable. This shift in security measures was likely an unintended consequence of trying to balance security and convenience for customers, which ultimately may have contributed to the security breach [49585]. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident related to development incompetence is evident in the Tesco Bank case. The incident involved a "systematic, sophisticated attack" resulting in £2.5m being stolen from around 9,000 current account holders [49585]. The incident raised questions about the bank's security measures, with experts suggesting that the losses were likely caused by a failure of IT security and data protection processes rather than an outside hack [49585]. Additionally, the decision to move from using card readers to mobile phone verification raised concerns about the bank's security practices and the potential vulnerabilities introduced by such changes [49585].
(b) The software failure incident related to accidental factors is not explicitly mentioned in the articles provided. |
| Duration |
temporary |
The articles do not provide specific information about the duration of the software failure incident related to the Tesco Bank attack. The incident resulted in £2.5m being taken from around 9,000 current account holders, leading to the suspension of online banking for all 136,000 customers. The bank faced issues with stolen money and compromised accounts, prompting investigations by the National Crime Agency and discussions about security measures and vulnerabilities within the bank's systems. The incident highlighted concerns about the security practices of banks and the potential for future attacks [49585]. |
| Behaviour |
value, byzantine, other |
(a) crash: The incident at Tesco Bank involved a "systematic, sophisticated attack" that resulted in money being stolen from accounts, leading to the bank suspending online banking for all its customers [49585].
(b) omission: The article mentions that Tesco Bank declined to reveal how the money was taken, suggesting an omission in disclosing the specific details of the attack [49585].
(c) timing: There is no specific mention of timing-related failures in the incident at Tesco Bank.
(d) value: The incident at Tesco Bank involved the theft of money from accounts, indicating a failure in the system performing its intended functions correctly [49585].
(e) byzantine: The incident at Tesco Bank involved a sophisticated attack that led to money being stolen from accounts, indicating a level of complexity and inconsistency in the responses and interactions of the system [49585].
(f) other: The incident at Tesco Bank also raises concerns about the security practices of the bank, such as the use of personal devices for work (BYOD) and the shift from card readers to mobile phone verification, which could introduce additional risks and vulnerabilities [49585]. |