The financial watchdog of the United Kingdom has imposed a massive £16.4m fine on Tesco Bank because of a “largely avoidable” cyber attack that affected its customers in 2016.
The Financial Conduct Authority (FCA) said that the bank was not able to exercise “due skill, care and diligence in protecting its personal current account holders” during the said breach, in which attackers were able to gain approximately £2.26 million.
Mark Steward, the executive director of enforcement and market oversight of the FCA, said that Tesco did not heed the earlier warnings regarding its vulnerability to a cyber attack and that its response was already “too little, too late,”
He continued: “Customers should not have been exposed to the risk at all.”
The cyber attackers were able to gain access to customers accounts via deficiencies in the design of the debit card of the bank, its financial crime operations team and its financial crime controls.
Tesco said that the attack did not involve the theft or loss of any customers’ information, however, it resulted in 34 transactions where funds were debited from the accounts of customers. Other customers also experienced disruptions in its normal services.
Gerry Mallon, the chief executive of Tesco Bank, stated: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice. We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”
The UK watchdog said that it lessened the fine that was applicable to Tesco Bank since it had decided to co-operate with the regulator. The response of Tesco Bank of compensating its customers meant that it avoided a fine of £33.5 million.