Tesco Bank fined £16.4m over cyber attack

Regulator said the attack which saw hackers steal £2.25m from account holders was 'largely avoidable'.
Written by Danny Palmer, Senior Writer

Tesco Bank has been fined over £16m for failures which allowed cyber attackers to steal £2.26m from customers in a hacking incident which occurred over 48 hours in November 2016.

Banking regulatory body the Financial Conduct Authority said that Tesco Bank failed to "exercise due skill, care and diligence" in protecting current account holders against a cyber attack which was "largely avoidable".

The attackers most likely used an algorithm which generated authentic Tesco Bank debit card numbers and, using those virtual cards, they engaged in thousands of unauthorised debit card transactions, the FCA said.

Over £2 million was stolen from the accounts of 9,000 customers and a total of 40,000 accounts were compromised. After discovering the attack, Tesco Bank temporarily froze online transactions of all of its then 136,000 account holders, leaving some customers without the ability to pay their bills.

Hackers were able to carry out the attack by exploiting security holes in Tesco Bank's design of its debit card, its financial crime controls and its Financial Crime Operations Team.

These errors included how its debit cards weren't designed for contactless transactions but could still be used for them, and how Tesco Bank's authorisation system only checked whether the debit card expired on a date in the future, as opposed to an exact day.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Principle 2 of the FCA's handbook states that a firm must conduct its business with due skill care and diligence and the investigation found that Tesco Bank failed to adhere to this principle as it failed to protect its customers from financial crime.

The FCA also found that Tesco Bank failed to respond to the cyber attack with "sufficient rigour, skill and urgency" by failing to follow written procedures on responding to the attack and following incorrect rules.

As a result, the Authority has imposed a £16.4m fine on Tesco Bank -- the bank's cooperation with the FCA resulted in this penalty being reduced from an initial £33m.

"The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks," said Mark Steward, executive director of enforcement and market oversight at the FCA.

"In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all".

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)

Tesco Bank has accepted the fine and has once again apologised to its customers.

"We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers' accounts and we fully accept the FCA's notice," said Gerry Mallon, Tesco Bank chief executive.

"We have significantly enhanced our security measures to ensure that our customers' accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016."

A Tesco Bank spokesperson wouldn't provide any additional information on exactly what additional security measures have been implemented.

Customers affected by the attack were reimbursed for their losses and some received compensation for the inconvenience caused. While the attackers managed to make off with a large sum of money, no personal data was compromised as a result of the attack.


Editorial standards