The UK's banking watchdog has slapped the banking arm of UK supermarket chain Tesco with a £16.4 million fine for its failure to prevent a cyber attack that affected thousands of customers in 2016.
The Financial Conduct Authority has slammed Tesco Bank for failing to exercise due skill, care and diligence in protecting its personal current account holders against the attack, which netted the perpetrators £2.6 million and was described at the time as an "unprecedented" assault against a UK regulated bank.
The FCA says the criminals exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack.
it is believed that Tesco Bank may have left itself open to fraud by issuing debit cards with sequential numbers.
Mark Steward, executive director of enforcement and market oversight at the FCA, says: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all."
In levelling the fine, the FCA says Tesco Bank avoided a much higher penalty amounting to £33,562,400, by acting swiftly to correct the deficiencies identified and agreeing to an early settlement of the matter.