The Financial Conduct Authority has confirmed it has fined Tesco Bank £16.4m over its 2016 cyber attack – the first penalty of its kind – after ruling that the issue had been “largely avoidable”.
The FCA said that Tesco Bank would have been fined £33.6m but received 60% reduction in the penalty for co-operating with the investigation and for early settlement.
Tesco said the attack did not involve the theft or loss of any customers’ data, but led to 34 transactions in which funds were debited from accounts, and other customers having normal service disrupted.
The FCA said the fraud netted cyber-attackers £2.26m, exploiting “deficiencies” in Tesco Bank’s design of its debit card, its financial crime controls and in its financial crime operations team.
Mark Steward, executive director of enforcement and market oversight at the FCA, said that the fine reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.
He added: “In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.
“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.’
Tesco Bank chief executive Gerry Mallon said: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.
“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”
Related stories
FCA sends out chilling warning with Tesco Bank action
20,000 Tesco Bank accounts raided in hack attack