FCA fines Tesco Bank £16.4m for failures in 2016 cyberattack
The UK’s Financial Conduct Authority (FCA) has fined Tesco Personal Finance (Tesco Bank) £16.4 million for lack of care and diligence in protecting its personal current account holders against a cyberattack in November 2016.
As reported in 2016, Tesco Bank revealed that 20,000 of its customers had up to £2,000 stolen from their accounts in a cyberattack.
Tesco Bank refunded £2.5 million to 9,000 customers who had money stolen from their accounts by fraudsters over that unhappy weekend. The bank has 7.8 million customer accounts across the UK. 136,000 customers hold current accounts with the bank, of these 9,000 were identified as being victims of fraud.
In the latest development, the FCA says cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack.
The FCA says those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26 million.
Mark Steward, executive director of enforcement and market oversight at the FCA, says: “The attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.”
He adds that Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.
Tesco Bank provided a “high level of cooperation” to the FCA. In addition, the bank agreed to an early settlement of this matter which qualified for a 30% (Stage 1) discount under the FCA’s executive settlement procedure. But for the mitigation credit and the Stage 1 discount, the FCA would have imposed a penalty of £33.5 million.