Tesco Bank gets first cyber-related FCA fine

Tesco Bank has been fined £16.4m by the Financial Conduct Authority (FCA) for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack in November 2016.

The FCA expressed concern about the cyber security of banks just days after 9,000 Tesco Bank customers lost £2.26m in fraudulent transactions.

Normal services for thousands of customers were affected when online banking services were suspended temporarily after the bank detected the attack.

Tesco said funds were debited from accounts in 34 fraudulent transactions, but that the attack did not involve the theft or loss of any customers’ data.

According to the FCA, the attack exploited “deficiencies” in Tesco Bank’s design of its debit card, its financial crime controls and in its financial crime operations team.

“Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours,” the FCA said.

The bank avoided a greater fine of £33.56m by implementing a “comprehensive redress” programme immediately and devoting significant resources to fixing the bank’s vulnerability to attack, the FCA said.

Gerry Mallon, CEO of Tesco Bank, apologised for the impact of the fraud attack. “Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice,” he said in a statement.

“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”

Mark Steward, executive director of enforcement and market oversight at the FCA, said the fine reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. 

“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started,” he said. “This was too little, too late. Customers should not have been exposed to the risk at all.”

Steward said banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. 

“The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack,” he said. “Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.”

Jake Moore, cyber security expert at ESET UK, said banks need to maintain the utmost security and show the public they are resilient to attacks to ensure their customers’ bank balances are safe from criminals.

“Unfortunately, a cyber attack on a bank will not only weaken customer confidence in this particular bank, but all online banks in general,” he said.

Moore said that companies, and especially banks, need to understand that personal details, or in this case customers’ money, can be stolen in seconds, but can take years to rebuild in customer trust.

“This was a calculated attack, so being open with the FCA from the start not only reduced the amount stolen from escalating, but it also reduced the size of the fine thereafter,” he said.

Ross Brewer, vice-president and European managing director of LogRhythm, said the fine reflects how serious and stringent regulators are when it comes to data protection.

“In this case, the cyber criminals may have managed to steal £2.26m, but Tesco has come off much worse after being hit with a £16.4m fine,” he said. “What is frustrating is that this attack could have easily been avoided.” 

Businesses have to learn lessons from these breaches, said Brewer. “Tesco is a big enough company that should survive a fine this high, but not every company will be in the same position,” he said.

Attacks on retailers and banks no longer surprise anyone, said Brewer. “But what is still incomprehensible is that so many of these companies are failing to identify threats from the offset.”

It is therefore crucial, he said, that businesses have tools in place that can flag unusual or anomalous activity as soon as it happens, giving businesses the opportunity to neutralise threats immediately and avoid the embarrassing and damaging aftermath of a breach.