Tesco Bank has been fined £16.4m by the Financial Conduct Authority over a cyber attack in 2016, which saw £2m being stolen from 34 accounts. It has been described as “largely avoidable”.
A report found that the hack originated in Brazil, and fraudsters managed to carry out thousands of fake contactless card transactions, using genuine Tesco Bank card numbers. They exploited “deficiencies” in Tesco Bank’s debit card as well as in its financial crime controls and crime operations team.
Mark Steward, the FCA’s enforcement director, said that Tesco Bank ignored prior warnings about the specific kind of card transaction that was used in the hack. It was only after the hack happened that Tesco Bank blocked these kind of transactions.
“This was too little, too late. Customers should not have been exposed to the risk at all. The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started.”
The bank could have been fined up to £33.6m, however it was reduced to £16.4m after Tesco agreed to settle with the FCA, co-operated with their investigation, and had already compensated the customers who had lost money.
Gerry Mallon, the chief executive of Tesco Bank, said:
“We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.
“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”