Tesco Bank fined £16.4 million for failing to protect customers in cyber attack

1 October 2018

Customers caught up in Tesco Bank’s security breach in 2016 have had some justice served as the provider is fined by the Financial Conduct Authority (FCA).

The financial watchdog has fined the bank £16.4 million for “failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack.”

The attack took place in November 2016. Criminals exploited a vulnerability in the design of Tesco Bank’s debit cards, financial crime controls and its financial crimes operations team.

The attackers stole £2.26 million from customers in 48 hours.

Mark Steward, executive director of enforcement and market oversight at the FCA, says: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.  

“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started.  This was too little, too late.  Customers should not have been exposed to the risk at all."

The FCA says Tesco Bank has comprehensively addressed the issue and devoted “significant resources” to improve its security deficiencies. All customers affected were fully compensated by the provider.

Commenting on the FCA’s fine, Gerry Mallon, Tesco Bank chief executive, comments: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.

“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”

Mr Stewart adds: “Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place."

The FCA say the proceeds from the fine all go to the Treasury, minus enforcement costs, and it is at the discretion of the government what is done with the money.

First online fraud fine from the FCA

Sarah Pearce, privacy & cybersecurity partner at law firm Paul Hastings, says this is the first time that the FCA has fined a firm relating to online fraud: “The company’s £16.4m fine has been imposed by the FCA and not the Information Comissioners Office (ICO), the former of which arguably has stronger enforcement powers.

"This distinction is important, as this is the first time the FCA has handed out a penalty for online fraud, which is a clear signal that banks need to raise their game when it comes to their security processes.

"As such, it will be interesting to see the extent to which the two regulators discuss and coordinate their approaches when it comes to future breaches of this kind.”

Add new comment