UK: FCA fines Tesco Bank £16.4m for failures in 2016 cyber attack
The Financial Conduct Authority (FCA) has fined Tesco Personal Finance plc (Tesco Bank) £16,400,000 for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack. The cyber attack took place in November 2016.
Cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack. Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26m.
The FCA found that Tesco Bank failed to exercise due skill, care and diligence to:
Design and distribute its debit card.
Configure specific authentication and fraud detection rules.
Take appropriate action to prevent the foreseeable risk of fraud.
Respond to the November 2016 cyber attack with sufficient rigour, skill and urgency.