Tesco Bank fined £16.4 million over cyber attack

Tesco Bank fined £16.4 million over cyber attack

Britain’s financial regulator has fined Tesco Bank £16.4 million over a cyber attack in 2016 which cost its customers £2.26 million in the first penalty of its kind.

The Financial Conduct Authority (FCA) said that the attack had been largely avoidable and the bank’s reactions were ‘too little too late’ after it emerged it had previously received a specific warning about the type of transaction used in the hack.

Sophisticated criminal fraud

Tesco Bank said it had been the victim of ‘a sophisticated criminal fraud’ and were ‘very sorry’ for the impact the attack had on its customers.

The hackers, based in Brazil, managed to penetrate the bank’s cyber defences and stole more than £2 million from 34 accounts, which has since been repaid to the customers.

Fake transactions

It is believed the fraudsters managed to carry out thousands of fake contactless card transactions over a period of two days, probably using genuine Tesco Bank card numbers.

One customer is understood to have lost £65,000.

Exploited

In a statement the FCA said: “Cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack.

“Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26m.”

The regulator said 8,261 Tesco customers were affected by the attack, suffering disruption to their card payments, but there was no suggestion that the bank’s servers had been breached in the attack.

No tolerance

FCA executive director of enforcement and market oversight, Mark Steward, said: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.

“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.

Failed

The regulator found that Tesco had failed to exercise due skill, care and diligence to:

  • Design and distribute its debit card
  • Configure specific authentication and fraud detection rules
  • Take appropriate action to prevent the foreseeable risk of fraud
  • Respond to the November 2016 cyber attack with sufficient rigour, skill and urgency

Reduce the risk

Mr Steward added: “Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.

“The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.”

Discount on fine

The FCA said it had originally calculated the penalty to be imposed on Tesco as £33.56 million but that the amount had been reduced by 60%.

Early settlement of the matter qualified for a 30% discount and a further 30% had been awarded because of the bank’s ‘high level of cooperation, its comprehensive redress programme which fully compensated customers and in acknowledgement that it stopped a significant percentage of unauthorised transactions.’

Apology

Gerry Mallon, Tesco Bank’s chief executive, said: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.

“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”

‘Super Complaint’ leads into Loyalty Probe – Read more here:

Rebuilding trust in RBS could take 10 years

Royal Bank Of Scotland (RBS) chief executive Ross McEwan has admitted it could take up to 10 years for the bank to restore trust in its reputation after it came joint bottom in a customer satisfaction survey.

Rebuilding trust in RBS could take 10 years

Royal Bank Of Scotland (RBS) chief executive Ross McEwan has admitted it could take up to 10 years for the bank to restore trust in its reputation after it came joint bottom in a customer satisfaction survey.

HSBC pays $765 settlement for US toxic mortgages

HSBC has become the latest bank to pay a multi-million dollar settlement to American regulators to conclude its involvement in the mis-selling of toxic mortgage investments in the lead up to the financial crisis of 2008.

HSBC pays $765 settlement for US toxic mortgages

HSBC has become the latest bank to pay a multi-million dollar settlement to American regulators to conclude its involvement in the mis-selling of toxic mortgage investments in the lead up to the financial crisis of 2008.

Who tops the £32.2 billion PPI leaderboard?

The figures surrounding what is probably the biggest ever financial scandal ever to hit the UK are truly mind-boggling.

News by month:

News by Category: