Tesco fined £16.4 million over 2016 cyber attack

Tesco Bank has been fined £16.4 million by the UK financial regulator for cyber security failings regarding an attack that occurred in 2016.

In a final notice, the Financial Conduct Authority (FCA) said that the bank had failed to exercise due skill, care and diligence in protecting the accounts of its customers.

The FCA also claimed that the attack was largely avoidable and led to the loss of over £2 million from the bank’s customers.

Mark Stewart, executive director of enforcement and market oversight at the FCA said:

“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.

“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.”

According to the FCA, attackers exploited deficiencies in the design of the bank’s credit cards, as well as those in its financial crime controls and its crime operations team.

During the attack there were 34 transactions where funds were debited from accounts, although no loss of data or personal information occurred.

Tesco Bank added that normal customers who were not victim to the crime had their normal services interrupted.

Gerry Mallon, Tesco Bank's chief executive, said: "We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers' accounts and we fully accept the FCA's notice.

"We have significantly enhanced our security measures to ensure that our customers' accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016."

Tesco Bank ensured that all lost funds were refunded to customers and its agreement to an early settlement with the FCA meant that its fine was reduced from £33.6 million.