The 2016 incident, the first mass breach of accounts at a western bank, forced Tesco’s financial arm to temporarily shut down online services and reimburse customers £2.5m
Tesco’s banking arm may face a record fine from the UK’s financial regulator over a 2016 cyberattack that led to customer losses of £2.5 million and was considered a first at the time.
The Financial Conduct Authority (FCA) is considering a fine of up to £30m, according to multiple reports citing persons familiar with the matter.
Tesco Bank is understood to be in negotiations with the FCA to reduce the fine substantially, and is reportedly hoping a fine of less than £20m will finally be agreed upon.
In November 2016 Tesco Bank was forced to suspend all online transactions after it found that criminals were trying to access customers’ accounts.
The bank revised an initial estimate that 40,000 customers had been affected down to 20,000 and subsequently to 9,000.
Reports indicate that since that time the bank has further revised the figure to fewer than 50 customers, all of whose losses were refunded within days. No customer data was compromised, Tesco Bank has said.
The relatively small number of customers affected adds shock value to the size of the proposed fine, which was first disclosed by Sky News.
The proportion of the fine would appear to suggest penalties in the hundreds of millions or billions of pounds for a large-scale incident.
The Information Commissioner’s Office (ICO), by contrast, last week fined Equifax a relatively modest £500,000 for exposing the personal data of millions of British individuals to hackers.
That fine, however, was for data losses, and not financial theft, and moreover was the maximum allowed under the data protection laws in place when the hack occurred last year.
The GDPR, which came into force in May, has since instituted much more substantial penalties. The FCA’s investigation into the Equifax breach continues.
At the time of the Tesco Bank hack the FCA described it as “unprecedented in the UK”, while experts said it was the first mass account breach at a western bank.
Data breaches and online banking outages are coming under increasing scrutiny as customers rely increasingly on digital services.
Last week customers at banks including Barclays and Royal Bank of Scotland’s NatWest were locked out of online accounts by technical failures.
The FCA has not yet imposed a substantial penalty for a cyber-theft. It imposed a £42m penalty against RBS in 2014, but that fine was for an IT outage.