Tesco hit with £16.4m fine following cyber fraud

The Financial Conduct Authority (FCA) has hit Tesco Bank with a fine of £16.4m fine following the popular bank’s failure to deal with a cyber-attack that occurred in November 2016.

 In the aftermath of the “unprecedented” attack, reports revealed that Tesco Bank had lost £2.5m as a result of the online crime, with all money lost being refunded to the holders of the compromised accounts. The bank expressed its regret over the situation, saying it had been the victim of a very sophisticated criminal fraud, and that it was “very sorry” for how it had affected customers.

The FCA responded by pointing out that the bank had let down its personal current account holders through inadequate levels of skill and due diligence, and underlined that the debacle had occurred because of deficiencies in Tesco’s response behaviours and mechanisms.

The BBC has reported how Mike Steward, executive director of enforcement and market oversight at the FCA, emphasised how the malpractice could not be tolerated by the regulator.

“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks,” he said.

“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.”

The design of Tesco Bank’s debit card, the organisation’s financial crime controls and operations each held weak points that were exploited by the online criminals, the FCA has said.

The activity disrupted many customers’ online service experience, while 34 had money taken from their accounts. However, no customer data was stolen in the cyber-attack.

As reported in the Guardian online, Tesco Bank’s chief executive, Benny Higgins, said:

“Our first priority throughout this incident has been protecting and looking after our customers, and we’d again like to apologise for the worry and inconvenience this issue has caused.

“We’ve now refunded all customer accounts affected by fraud and lifted the suspension of online debit transactions so that customers can use their accounts as normal. We’d also like to reassure our customers that none of their personal data has been compromised,” he added.

Gerry Mallon, Tesco Bank’s CEO said:

“We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.

“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”

Know the risks and responsibilities

Tesco Bank’s cyber-attack and the subsequent penalties it has attracted from the regulator illustrate how careful data-handling organisations have to be to avoid costly data breaches and stay in compliance with the GDPR.

Bosses can get a firmer grasp of their obligations at the Governance, Risk and Compliance Seminar at the Data Protection World Forum.

Coming to London’s Excel on the 20th and 21st November, this world-leading conference is packed full of engaging keynotes, debates and presentations conducted by global authorities in data protection.

The Governance, Risk and Compliance (GRC) Seminar at the Data Protection World Forum will focus on the issues that are at the top of the agenda for compliance professionals from financial institutions.

Watershed regulations such as GDPR and MiFID II which came into play this year constitute some of the most pressing changes and risks facing the financial services industry. The legislation changes are playing out on an uncertain political landscape overshadowed by Brexit negotiations.

Data Protection World Forum takes place one month after a key EU summit on October 18th, when more will be known about what the future holds for UK business.

Whatever lies in wait for financial services sectors, executives can network, acquire the essential knowledge and get to the forefront of regulatory debate at the Governance, Risk and Compliance (GRC) Seminar at DPWF.

Book your place today.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.