UK’s financial regulator has fined Tesco Bank £16.4m (approx. $21.5 million) for lax cybersecurity practices that have seen the bank suffer a cyberattack in November 2016.
In a statement, the Financial Conduct Authority (FCA) said that deficiencies at Tesco Bank allowed cyber attackers to carry out an attack in a “largely avoidable accident” nearly two years ago. Specifically, the vulnerabilities laid bare in Tesco Bank’s design of its debit card, its financial crime controls and its Financial Crime Operations Team to trigger the attack.
“Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26m,” the financial regulator added damagingly in a statement on Monday.
In the immediate aftermath of the attack, Tesco Bank did enforce a “comprehensive redress” program while pouring in resources to improve its defenses and shore up the vulnerabilities, the regulator added. Still, it was too little too late.
FCA’s executive director of enforcement and market oversight Mark Steward said:
‘The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.”
He also stated that banks should ensure resilience against cyber crimes by stamping them out in the first place rather than being reactive to an attack that has already taken place.
Tesco’s settlement is considered an “early settlement” at a 30% discount under the regulator’s settlement norms. If it weren’t for a combination of a high level of cooperation, a comprehensive redress program to fully compensate customers, the bank would have been liable for a penalty of £33,562,400.
For its part, Tesco Bank said it was the victim of a “sophisticated criminal fraud attack” with chief executive Gerry Mallon offering an apology to customers.
Image credit: Wikimedia.