Tesco Bank Fined £16.4m By Regulator Over 2016 Cyber-Attack

Tesco store carpark shop logo © JuliusKielaitis Shutterstock

That’s gonna sting. Tesco’s banking division has been slapped with a £16.4m fine for customer account breach

Tesco’s banking arm has been hit with a stiff fine from the UK’s financial regulator over a 2016 cyberattack that led to customer losses of £2.5 million.

The 2016 incident, the first mass breach of accounts at a western bank, forced Tesco’s financial arm to temporarily shut down online services and reimburse customers £2.5m that was stolen.

Last week it emerged that the Financial Conduct Authority (FCA) had been considering a record fine of up to £30m, so the news that it has only has to pay half of that will be a welcome development for the bank.

FCA ruling

In its ruling, the Financial Conduct Authority said that Tesco Bank had made a “series of errors” that included a 21 hour delay that allowed the hackers (thought to be from Brazil) to carry out multiple fraudulent transactions.

In November 2016 Tesco Bank had been forced to suspend all online transactions after it found that criminals were accessing customers’ accounts. The bank revised an initial estimate that 40,000 customers had been affected down to 20,000 and subsequently to 9,000.

“Tesco Bank was the subject of a Cyber Attack in November 2016,” said the FCA. “The attackers most likely used an algorithm which generated authentic Tesco Bank debit card numbers and, using those “virtual cards”, they engaged in thousands of unauthorised debit card transactions.

“The attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack,” said the FCA. “Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the attackers £2.26 million. The attack did not involve the loss or theft of customers’ personal data.”

Although Tesco Bank’s controls stopped almost 80 percent of the unauthorised transactions, the Cyber Attack affected 8,261 out of 131,000 Tesco Bank personal current accounts, said the FCA.

The Information Commissioner’s Office (ICO), by contrast, recently fined Equifax a relatively modest £500,000 for exposing the personal data of millions of British individuals to hackers.

That fine, however, was for data losses, and not financial theft, and moreover was the maximum allowed under the data protection laws in place when the hack occurred last year.

Expert take

One security expert has pointed out that Tesco could have avoided this attack altogether if it had examined its own defences.

“This fine is a reflection of how serious and stringent today’s regulators are when it comes to data protection,” said Ross Brewer, VP & MD EMEA at LogRhythm. “In this case, the cyber criminals may have managed to steal £2.26m, but Tesco has come off much worse after being hit with a £16.4m fine.”

“What’s frustrating is that this attack could have easily been avoided,” said Brewer. “Tesco did not address its defences or vulnerabilities until after the breach had taken place, making it too little too late – something I’m sure the company is regretting right now.”

“Businesses have to take lessons from these breaches,” he warned. “Tesco is a big enough company that should survive a fine this high, but not every company will be in the same position. Attacks on retailers and banks no longer surprise anyone, but what is still incomprehensible is that so many of these companies are failing to identify threats from the offset.”

Another expert agreed that banks have to invest in their cyber security to retain customer confidence.

“Banks need to maintain the upmost security and show the public they are resilient to attacks to ensure their customers’ bank balances are safe from criminals,” said Jake Moore, cyber security expert at ESET UK.

“Unfortunately, a cyber-attack on a bank will not only weaken customer confidence in this particular bank but all online banks in general,” said Moore. “This is a huge fine for a cyber-attack but it has also been placed to reduce this type of attack from reoccurring.”

“Companies, and especially banks, understand that personal details, or in this case customer’s money, can be stolen in seconds but take years to rebuild in customer trust,” he added. “This was a calculated attack, so being open with the FCA from the start not only reduced the amount stolen from escalating, but it also reduced the size of the fine thereafter.”

Do you know all about security? Try our quiz!