Tesco Personal Finance plc (Tesco Bank) has been fined £16.4 million by the Financial Conduct Authority after being found to have failed to exercise due diligence in protecting customers’ data from a major security breach in 2016.
Cyber-criminals exploited deficiencies in Tesco Bank’s debit card design and online protections in November 2016 in an attack that lasted 48 hours and left the hackers with £2.26m. In levying the fine the FCA found that the incident had been largely avoidable and that customers’ data had been unnecessarily vulnerable to exploitation.
Tesco Bank was found to be in breach of Principle 2 of the FCA’s code of conduct, which requires financial institutions to exhibit due care and diligence in their activities. Banks are required as a matter of course to protect their customers from financial crime; and the FCA found Tesco’s protections had been inadequate in this case.
In a statement Mark Steward, Executive Director of Enforcement and Market Oversight for the FCA, said: “the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.”
Mr Steward emphasised that banks needed to ensure the systems they put in place to guard against online attacks were fit for purpose, adding: “Tesco has strengthened its controls [since the incident] with the object of preventing this type of incident from being repeated.”
In the aftermath of the attack Tesco devoted considerable resources to improving their online security protocols and addressing the defects that had allowed the attack to take place. They were able to reduce their fine to £16.4m from a potential £33.56m by cooperating with the enquiry and agreeing to an early settlement.