Tesco Bank fined £16.4m over cyber attack
The bank previously paid out £2.5m to reimburse the 20,000 customers who had money removed fraudulently from their accounts during the attack
For free real time breaking news alerts sent straight to your inbox sign up to our breaking news emails
Sign up to our free breaking news emails
Tesco Bank has been fined £16.4m by the City watchdog over a 2016 cyber-attack which affected thousands of customers.
The attack left customers unable to make any online transactions for 48 hours and the bank was forced to pay out £2.5m to cover losses after cash was fraudulently removed from accounts.
The Financial Conduct Authority (FCA) said the bank had failed to exercise due skill, care and diligence in protecting its personal current account holders against a cyber-attack.
The regulator said the hackers “exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its financial crime operations team to carry out the attack”.
Mark Steward, executive director of enforcement and market oversight at the FCA, said: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.”
He added: “Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.
“The standard is one of resilience, reducing the risk of a successful cyber-attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.”
Gerry Mallon, Tesco Bank’s chief executive, said: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.
“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”
The fine “should be a wake-up call for financial institutions”, said Kyle Hastings, lead partner of cyber risk practice at consultancy Parker Fitzgerald.
“We estimate that the 30 largest banks globally spent $6.3bn (£4.8bn) on cyber security in 2017. Yet, cyber is still seen as a matter for the IT department, rather than business critical,” he said.
“This contrasts with regulators’ expectations and the prospect that, as an expanding part of operational risk, cyber could attract greater prudential scrutiny and potential capital charges.
“As financial institutions accelerate their digital transformation, they need to safeguard themselves both from the evolving threat landscape and the risks associated with digital innovations. Cyber risk management needs to become part of firms’ wider business strategy.”
Subscribe to Independent Premium to bookmark this article
Want to bookmark your favourite articles and stories to read or reference later? Start your Independent Premium subscription today.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies