In late 2016, British retail banking company, Tesco Bank, suffered a major cyberattack that led to the theft of £2.26 million combined from various bank account holders. The UK's Financial Conduct Authority (FCA), which regulates the banking sector, believes the company could have avoided the incident but failed due to its lack of "due skill, care, and diligence." The FCA has now slapped Tesco Bank with a £16.4 million fine over the cyber breach.
Mark Steward, executive director of enforcement and market oversight at the FCA, said:
"The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.”
"In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all".
According to the regulators, around 9,000 customers were victims of the theft and a total of 40,000 accounts were compromised as well, though Tesco Bank immediately froze online transactions of all its account holders at that time following discovery of the breach. The investigation later found that attackers exploited security flaws in the design of the bank's debit card, its financial crime controls, and the financial crime operations team.
The FCA further said it was possible the attackers were able to generate authentic Tesco Bank debit card numbers using an algorithm and executed multiple debit card transactions using those cards. The bank was found failing to comply with Principle 2 of the FCA's handbook which mandates companies to maintain due skill care and diligence.
It's worth noting that the breach did not affect the personal data of customers. The fine will be used to reimburse customers affected by the cyber attack.