By Lauren Howells.
Tesco Bank has been fined £16.4 million by the Financial Conduct Authority (FCA), following a “largely avoidable” cyber attack which took place in November 2016.
The financial regulator said that the bank had failed to exercise due skill, care and diligence in protecting its current account holders against an attack.
The cyber attack did not involve customer data theft or loss but resulted in 34 transactions where funds were debited from customers’ accounts. Other customers had their normal service disrupted.
The incident, which occurred over 48 hours, resulted in the attackers netting £2.26 million.
The FCA said that, in order to carry out the attack, those responsible had exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team. It added that these deficiencies had left personal current account holders at Tesco Bank vulnerable to an incident that was largely avoidable.
No tolerance for banks failing to protect customers
The FCA found that Tesco Bank had failed to exercise due skill, care and diligence to respond to the attack with “sufficient rigour, skill and urgency”.
Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA, said that the fine reflected the fact that the FCA had no tolerance for banks that failed to protect customers from foreseeable risks. In this case, the cyber attack was the subject of a very specific warning that Tesco Bank had not properly addressed until after the attack had already begun, he said, describing this as “too little, too late”.
“Customers should not have been exposed to the risk at all,” he said.
Mr Steward pointed out that Tesco Bank had subsequently strengthened its controls “with the object of preventing this type of incident from being repeated”.
Fine reduced from under £33.6 million
Tesco has since fully compensated customers. The FCA pointed out that it was this, together with Tesco Bank’s “high level of cooperation” with the FCA and its agreement to an early settlement, which had resulted in the fine being reduced from the original figure of just under £33.6 million.
Tesco Bank’s Chief Executive, Gerry Mallon, apologised for the impact that the attack had on the bank’s customers.
“Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.”
Tesco Bank had since “significantly enhanced” its security measures, to ensure its customers’ accounts had the “highest levels of protection”, he added.