The UK Financial Conduct Authority (FCA) announced today that they have fined Tesco Bank £16.4 million for negligence in protecting their customers in a 2016 cyber attack that caused £2.26 million to be stolen from the bank's customers.
'The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks," stated Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA. "In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all."
In 2016, attackers exploited holes in the bank's debit card design and security controls in order to steal £2.26 million from 9,000 customers over a 48 hour period. Security researchers attributed these attacks to improper web site configuration, mobile app designs, and lack of security controls that could have prevented attackers from guessing account credentials.
While the bank fully compensated all customers that had money stolen from them, the FCA states that Tesco Bank breached Principle 2, which is for companies to conduct their business with "skill, care and diligence".
The FCA found that Tesco Bank breached Principle 2 because it failed to exercise due skill, care and diligence to:
FCA also stated that Tesco Bank would have faced a much larger fine of £33,562,400 if they had not immediately compensated their customers, performed an audit of their security controls, and implemented new controls that would prevent these attacks in the future.
Due to the bank's immediate security review and redress for their customers, the FCA provided a 30% discount on the fine. For agreeing to an early settlement, the FCA gave the bank an additional 30% discount.
"Tesco Bank provided a high level of cooperation to the FCA," stated the FCA announcement. "Through a combination of this level of cooperation, its comprehensive redress programme which fully compensated customers, and in acknowledgment that it stopped a significant percentage of unauthorised transactions, the FCA granted the bank 30% credit for mitigation. In addition, Tesco Bank agreed to an early settlement of this matter which qualified for a 30% (Stage 1) discount under the FCA’s executive settlement procedure. But for the mitigation credit and the Stage 1 discount, the FCA would have imposed a penalty of £33,562,400."