Tesco Bank fined £16.4m for cyber security failures

Published on: 3 Oct 2018

Tesco Bank fined £16.4m for cyber security failures

Tesco Bank has been fined £16.4 million for its lax reaction to a cyber attack from late 2016 and the sub-standard cyber security defences that led to it.

Hackers stole just £2.26 million from current accounts with Tesco Bank during the cyber attack from November 2016.

Although all the money was refunded to account holders, the Financial Conduct Authority (FCA) has come down hard on the bank for its failure to exercise due skill care and diligence in protecting the account holders in the first place.

The FCA insists that the attack was largely avoidable and criticised Tesco for not responding with sufficient rigour, skill nor urgency.

Mark Steward, the FCA’s executive director of enforcement and market oversight, said the hefty £16.4 million fine reflected the FCA’s intolerance for banks that fail to protect customers from foreseeable risks.

"In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started,” he explained.

“This was too little, too late. Customers should not have been exposed to the risk at all.”

The attack was made possible due to deficiencies in the design of Tesco Bank's debit card, as well as its financial crime controls and in its financial crime operations team.

Tesco Bank's chief executive Gerry Mallon reacted to the fine by apologising to the affected customers and confirming that the bank had “significantly enhanced” its security measures to “the highest levels of protection”.

Photo: theasis/iStock