The Financial Conduct Authority (FCA) has fined Tesco Bank for “failing to exercise due skill, care and diligence in protecting” its current account holders. The ruling comes almost two years after the company was hit with a cyber attack that saw money stolen from an estimated 20,000 customers.
Tesco Bank has been fined £16.4m for its part in enabling the cyber-attack, largely security deficiencies that made user accounts vulnerable to the theft. Across 48 hours, hackers netted £2.26m from Tesco Bank accounts.
Mark Steward, executive director of enforcement and market oversight at the FCA, said: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.”
In particular, he noted that Tesco was warned of the attack before it happened but took no action to stop it until after it happened. “The attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.”
Steward added: “Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber-attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.”
The FCA said Tesco had “failed to exercise due skill, care and diligence” in designing and distributing its debit cards, developing suitable authentication methods, fortify against fraud, and respond to the attack.
At the time, 7 November 2016, chief executive Benny Higgins said: "We apologise for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers’ accounts.”
At the time, some customers noted that as much as £600 had been taken from them. The bank was quick to reimburse the victims of the attack – although with it taking place during the weekend, it was noted that the bank did not act with enough agility.
Nonetheless, the FCA has noted that Tesco has “provided a high level of cooperation to the FCA” which helped lessen the fine, which could have been as high as £33.5m.