Tesco Bank has been fined £16.4m for failing to protect customers against what regulators called a “largely avoidable” cyber attack.
In November 2016, criminals exploited vulnerabilities in the design of the bank’s debit card and financial crime controls to steal £2.26m from current account holders over the course of two days.
The Financial Conduct Authority said the fine – one of the biggest ever issued for poor cyber security in the UK – reflected the fact it has “no tolerance for banks that fail to protect customers from foreseeable risks”.
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started,” said the FCA’s enforcement director Mark Steward. “This was too little, too late.”
The banking regulator found the bank had failed to exercise due skill, care and diligence in protecting current account holders from what it described as a “largely avoidable” attack.
In a statement, Tesco Bank said that while the incident did not lead to the loss of personal data, funds were stolen from customers through 34 transactions, and that normal service was disrupted.
“We are very sorry for the impact that this fraud attack had on our customers,” said the bank’s CEO Gerry Mallon. “Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.”
“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”
The FCA would have fined the bank a total of £33.5m had it not cooperated with the regulator after the attack and agreed to an early settlement.
“Banks need to maintain the utmost security and show the public they are resilient to attacks to ensure their customers’ bank balances are safe from criminals,” said ESET cyber security expert Jake Moore. “Unfortunately, a cyber-attack on a bank will not only weaken customer confidence in this particular bank but all online banks in general. This is a huge fine for a cyber attack but it has also been placed to reduce the likelihood of this type of attack from reoccurring.”