Tesco Bank agreed on Monday (Oct. 1) to pay £16.4m in a settlement with the Financial Conduct Authority (FCA) due to a cyberattack at the lender in 2016.
According to a report in The Guardian, citing Tesco, the company said the attack didn't result in theft or loss of customers' data, but in 34 transactions in which funds were debited from accounts. What's more, it said customers faced disruptions in normal service.
The FCA said the fraud resulted in the hackers getting off with £2.26m by capitalizing on what it called "deficiencies" in Tesco Bank's design of its debit card, financial crime controls and its financial crime operations team. The FCA did note that Tesco put in place a “comprehensive redress” program and spent significant resources to address the deficiencies that left the bank susceptible to the cyberattack. The Guardian noted that if Tesco had not cooperated with the FCA and agreed to settle, it would have been fined £33.56m.
“We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts, and we fully accept the FCA’s notice," Tesco Bank Chief Executive Gerry Mallon said. “We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologize to our customers for the inconvenience caused in 2016.”
Meanwhile, Mark Steward, the executive director of enforcement and market oversight at the FCA, said in a statement that the fine reflects the fact that the FCA has "no tolerance" for banks that don't protect their customers from risk.
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late," Steward said, according to the report. "Customers should not have been exposed to the risk at all. Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyberattack occurring in the first place, not only reacting to an attack."