FCA fines Tesco Bank £16.4m over 2016 cyber attack

Tesco Bank agreed to pay £16.4m as part of a settlement with the Financial Conduct Authority following the 2016 security breach.

The Financial Conduct Authority (FCA) has assigned a £16.4m fine to Tesco Bank for the vulnerabilities in its systems that were exploited by hackers to steal millions of pounds from customers’ online accounts in 2016.

In November 2016, Tesco Bank halted all online transactions after a cyber heist affected thousands of its customers. An investigation is ongoing.

The measure was announced by the chief executive Benny Higgins, at the time the bank admitted that 40,000 of 136,000 current banking customers had their accounts hacked, and 50 percent of them have lost money.

According to the financial institution, hackers stole £2.26m from 9,000 customers accounts for over 48 hours. Most of the transactions were made in Brazil and relied on magnetic strip rules.

The bank was fined because it was not able to demonstrate “due skill, care and diligence” in protecting customers’ accounts from cyber attacks.

“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.said Mark Steward, the executive director of enforcement and market oversight at the FCA.

“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all. Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.”

“The standard is one of resilience, reducing the risk of a successful cyber-attack occurring in the first place, not only reacting to an attack.”

Tesco Bank was alerted by Visa one year before the cyber attack, but failed to apply the necessary countermeasures.

According to the FCA, Tesco Bank breached Principle 2 because it failed to exercise due skill, care and diligence to:

  • Design and distribute its debit card.
  • Configure specific authentication and fraud detection rules.
  • Take appropriate action to prevent the foreseeable risk of fraud.
  • Respond to the November 2016 cyber attack with sufficient rigour, skill and urgency.

According to the FCA, hackers used an algorithm to generate valid debit card numbers that were involved in fraudulent transactions.

Tesco Bank provided all the necessary support to the FCA and fully compensated customers, it was also able to halt a significant percentage of unauthorized transactions.

The efforts of the bank in limiting the exposure of its customers in post-incident were praised by the FCA granted the bank 30% credit for mitigation. Tesco Bank also agreed to an early settlement which qualified it for a 30% (Stage 1) discount under the FCA’s executive settlement procedure

“Tesco Bank provided a high level of cooperation to the FCA. Through a combination of this level of cooperation, its comprehensive redress programme which fully compensated customers, and in acknowledgment that it stopped a significant percentage of unauthorised transactions, the FCA granted the bank 30% credit for mitigation.” continues the FCA.

“In addition, Tesco Bank agreed to an early settlement of this matter which qualified for a 30% (Stage 1) discount under the FCA’s executive settlement procedure. But for the mitigation credit and the Stage 1 discount, the FCA would have imposed a penalty of £33,562,400.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Tesco cyber heist,  cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.