Fraudsters claimed £2.26m
Tesco Bank fined £16.4m after cyber attack on accounts
The FCA said Tesco Bank customers ‘should not have been exposed’ to the attack
Tesco Bank has been fined £16.4 million for its failure to adequately protect customers from cyber criminals who stole £2.26 million over a 48-hour period.
The Financial Conduct Authority (FCA) said the Edinburgh-headquartered bank did not exercise due skill, care and diligence in protecting its personal current account holders in a “largely avoidable” attack in November 2016.
Cyber criminals were able to exploit deficiencies in the design of its debit card, its financial crime controls and the competence of its Financial Crime Operations Team.
The attackers are understood to have used an algorithm that generated authentic Tesco Bank debit card numbers and, using those “virtual cards”, they engaged in thousands of unauthorised debit card transactions.
Tesco Bank narrowly avoided a fine of £33.5m, by agreeing to settle early and because of the level of cooperation with the regulator.
The attack did not involve the loss or theft of customers’ personal data, the FCA said. However, it led to 34 transactions where funds were debited from customers’ accounts, and other customers having normal service disrupted. All the money was refunded into customers’ accounts.
Executive director of enforcement and market oversight at the FCA Mark Steward said the value of the find “reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks”.
He added: “In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started.”
Tesco Bank had made no attempts to stop the attack, said the regulator. Therefore, avoidable fraudulent transactions multiplied, calls from customers mounted and the attack continued.
“Customers should not have been exposed to the risk at all,” said Mr Steward.
However, according to the FCA, Tesco Bank put in place a “comprehensive redress programme and devoted significant resources to improving the deficiencies that left the bank vulnerable” immediately after the attack.
It said: “[Tesco Bank] has made significant improvements both to enhance its financial crime systems and controls and the skills of the individuals who operate them.
Steward added: “Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.
“The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack.
“Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.”
The incident happened former chief executive Benny Higgins who retired from the bank earlier this year. Current chief executive Gerry Mallon issued an apology for the breach.
“We are very sorry for the impact that this fraud attack had on our customers,” he said.
“Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice. We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”