Tesco’s banking arm has agreed a settlement with the Financial Conduct Authority to pay £16.4 million following a landmark cyber-attack.
Following a cyber-attack in 2016, in which hackers exploited flaws in Tesco Bank’s financial crime controls and debit card design, £2.26 million was stolen from customers’ accounts.
Though the attack was initially thought to have compromised 50,000 customers’ accounts, a subsequent investigation by the FCA found that the attack did not involve any loss of customers’ data.
The retailer has now reached a deal with the FCA in which it was fined £16.4 million, under half of the record £33.56 million that it would have been forced to pay if it had not provided a high level of cooperation.
“We are very sorry for the impact that this fraud attack had on our customers,” Tesco Bank chief executive Gerry Mallon said.
“Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.
“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”
The investigation sought to establish whether customers were left exposed by Tesco Bank after it issues sequential debit card numbers, a practice avoided by other banks as it is makes it easier for hackers to guess expiry dates and security codes.
The FCA’s executive director of enforcement and market oversight Mark Steward added: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.”