Tesco Bank fined £16m over 'largely avoidable' cyber attack
Tesco Bank has been fined £16.4m by the Financial Conduct Authority after it failed to prevent a cyber attack.
The attack, which took place in November 2016, saw funds debited from some customers’ accounts, while others had services disrupted. The attack netted the fraudsters £2.26m.
Tesco Bank, part of the supermarket giant, said it had been the victim of a sophisticated criminal fraud attack. But the FCA ruled that the bank had failed to exercise “due skill, care and diligence” in protecting its personal current account holders against the attack.
It found that the criminals had exploited deficiencies in the design of Tesco Bank’s debit card, its financial crime controls and in its financial crime operations team to carry out what should have been a “largely avoidable incident”.
Mark Steward, executive director of enforcement and market oversight at the FCA, said: “The FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.
“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.”
The FCA said that Tesco Bank, which cooperated fully with the investigation, had quickly put in place a comprehensive redress programme and devoted "significant" resources to improving the deficiencies and strengthening its controls.
Had Tesco Bank not done this, and agreed to an early settlement with the FCA, the regulator said it would have fined the bank £33.56m.
Gerry Mallon, chief executive of Tesco Bank, said: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safely and security of our customers’ accounts and we fully accept the FCA’s notice. We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection.”