After a cyber attack in 2016, Tesco Bank has been fined £16.4 million by the Financial Conduct Authority (FCA). The breach affected thousands of Tesco customers, who were unable to access their online account or make any transactions for 48 hours. This took place in November 2016. Following this, the bank was made to pay £2.5 million to customers who had money fraudulently taken from their bank accounts.
According to the FCA report, the bank failed to behave with adequate levels of care, diligence and skill. It also failed its customers by being unable to protect account holders from the attack. The regulator said that the online hackers “exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack”.
The FCA director of enforcement and market oversight, Mark Steward, said in a statement: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.”
He continued: “Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.”
When commenting on the cyber attack, Gerry Mallon, Tesco Bank’s chief executive, said: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice. We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”