Tesco Bank has been fined £16.4 million by the UK’s financial watchdog following a cyber-attack in 2016.
The bank consented to the settlement for failing to exercise due skill, care and diligence in protecting its personal current account holders. In November 2016, attackers exploited deficiencies in the bank’s design of its debit card, its financial crime controls, and its financial crime operations team to carry out the attack.
Subsequently, current account holders were left vulnerable to what the Financial Conduct Authority (FCA) described as a ‘largely avoidable incident’ that spanned 48 hours and netted the cyber attackers £2.26 million. Gerry Mallon, the bank’s chief executive officer, expressed regret over the situation, saying, ‘We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.’
Mallon emphasised that the bank has since ‘significantly enhanced’ its security measures. Meanwhile, Mark Steward, executive director for enforcement and market oversight at the FCA, highlighted that the fine reflects the FCA’s zero-tolerance stance on banks failing to protect customers from foreseeable risks. He remarked, ‘In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.’
Tesco Bank benefited from a 30 per cent discount on the fine for agreeing to an early settlement.
This incident underscores the critical importance of robust security measures and proactive risk management in the banking sector.
