FCA fines Tesco Bank £16.4m for 2016 cyber attack
Written by staff reporter
The Financial Conduct Authority (FCA) has fined Tesco Bank £16.4m for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack that took place in November 2016.
Cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack. Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26m.
Executive director of enforcement and market oversight at the FCA, Mark Steward said the fine reflects the watchdog's zero tolerance attitude towards banks that fail to protect customers from foreseeable risks. "In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all," he said.
“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated."