Tesco Bank has been fined for failing to safeguard customer information, after hackers managed to steal £2.26 million from customer accounts in November 2016.
The UK’s financial regulator, the Financial Conduct Authority (FCA), has fined the firm £16.4 million, arguing that the attack was avoidable and was not responded to in the correct fashion by Tesco. The bank’s cooperation with the FCA has led the regulator to reduce the fine from the initial value of £33.6 million. This is the first fine ever issued by the FCA for failings in cybersecurity. In partnership with the Bank of England, the FCA has announced that tackling cybercrime, and encouraging firms to be more cyber-savvy, is now a top priority.
Mark Steward, the FCA’s executive director of enforcement and market oversight, said: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.”
Weaknesses in Tesco’s financial crime controls and operations team ensured that they remained undiscovered far longer than should have been the case. Customer data was not compromised, but 34 transactions were made by the hackers using customer debit accounts over a 48-hour period. Tesco has since refunded the entire sum to any customers whose accounts were used. However, as well as any actual monetary value lost, significantly greater numbers of customers were faced with a loss of service or were unable to access their accounts.
Tesco Bank’s chief executive, Gerry Mallon, apologised for their lapse in security: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.”
He promised to prioritise fixing the weaknesses that allowed the hack: “We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”
Tesco Bank (along with several other firms) has been advised to make cybersecurity the responsibility of their central security and management divisions instead of IT units, who are often ill-equipped to deal with increasingly sophisticated attacks. The FCA has indicated with the fine handed out to Tesco that it is willing to heavily punish major financial firms that fail to properly protect customer data or that lack adequate protection for their systems. Kyle Hastings, cyber risk partner at Parker Fitzgerald, said: “This contrasts with regulators’ expectations and the prospect that, as an expanding part of operational risk, cyber could attract greater prudential scrutiny and potential capital charges.”