Tesco Bank fined £16.4 million for failing to protect account holders against an avoidable cyber-attack in 2016
By Cameron Abbott and Colette Légeret
The UK’s banking watchdog, the Financial Conduct Authority (FCA), has fined Tesco Bank, the banking arm of UK supermarket chain Tesco, £16.4 million (approximately AU$29.5 million) for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber-attack that occurred in 2016.
This cyber-attack affected thousands of account holders and netted the cyber-criminals £2.26 million (approximately AU$4.07 million) in 48 hours. It was described, at the time, as an unprecedented assault against a UK regulated bank.
The FCA stated that the cyber-criminals carried out the cyber-attack by exploiting deficiencies in the design of Tesco Bank’s sequentially numbered debit cards, its financial crime controls and in its Financial Crime Operations Team. It was these deficiencies that left the personal current account holders vulnerable to a largely avoidable cyber-attack.
Mr Mark Steward, Executive Director of Enforcement and Market Oversight at FCA, said that “the fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.”
As Tesco Bank co-operated with the FCA, established a comprehensive redress programme that fully compensated its customers, and stopped a significant percentage of unauthorised transactions, it was granted a 30 per cent credit for mitigation. Additionally, a further 30 per cent discount was given as Tesco Bank agreed to an early settlement. But for the mitigation credit and discount, the FCA would have imposed a £33.5 million penalty (approximately AU$60.5 million).
This FCA ruling highlights the multitude of regulatory oversight and enforcement relating to cybersecurity. Even after mitigating the impact this was still a substantial fine.