The UK’s financial regulator (FCA) has issued Tesco bank with a £16.4 million penalty over an online cyber incident that occurred two years ago, the first fine the FCA has issued because of a cyber incident.
Tesco Bank’s weak cyber defences left its customers vulnerable to a “largely avoidable” attack in 2016 that netted attackers £2.26 million, the Financial Conduct Authority said in a statement on Monday – and reported in the FT.
It added the banking arm of the UK’s biggest supermarket did not properly respond until after the attack started to a specific warning around its online defences. Still, the FCA more than halved the draft penalty of £33.6 million that Tesco Bank was initially facing because it agreed to settle, co-operated fully and had already compensated customers.
The eventual £16.4 million fine is the first time the FCA has penalised a company for an online fraud and it comes as banks are increasingly under scrutiny for IT failures and cyber attacks.
Last month, millions of customers were locked out of their online accounts after both Barclays and Royal Bank of Scotland’s NatWest suffered IT outages.
“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started,” said Mark Steward, the FCA’s enforcement director. “This was too little, too late. Customers should not have been exposed to the risk at all”.
While Tesco Bank customers affected by the attack — described by regulators at the time as “unprecedented” — were initially estimated to be as high as 50,000, the final tally stood at just 50.
The bank has insisted that no customer data was lost and none of its systems were breached in the “highly sophisticated attack”. The bank said that there were 34 transactions where funds were debited from customers’ accounts, while other customers suffered disrupted service.