Tesco Bank has been fined £16.4m by the UK’s financial regulator for deficiencies which allowed hackers to steal millions from its customers in 2016.
Online attackers bagged £2.24m in the November raid two years ago, in what the lender described as “sophisticated criminal fraud.”
Although the actual MO of the attackers is still unknown, the Financial Conduct Authority (FCA) has seen the details and decided to slap a major fine on Tesco Bank for “failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber-attack.”
Specifically, the bank failed the regulator’s Principle 2, due to deficiencies in the “design of its debit card,” and its configuration of fraud detection and authentication rules.
The bank was also criticized for failing to respond to the incident with “sufficient rigor, skill and urgency.”
“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all,” explained FCA executive director of enforcement and market oversight, Mark Steward.
“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber-attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.”
The fine would have been an even bigger £33.5m had Tesco Bank not provided high-level co-operation which helped to protect more customers and quickly compensate those affected. It also received a 30% discount for early settlement, the FCA said.