Regulators Consider Record-Breaking £30m Fine For Tesco Bank Hack

Tesco’s banking arm may face a record fine from the UK’s financial regulator over a 2016 cyberattack that led to customer losses of £2.5 million and was considered a first at the time.

The Financial Conduct Authority (FCA) is considering a fine of up to £30m, according to multiple reports citing persons familiar with the matter.

Tesco Bank is understood to be in negotiations with the FCA to reduce the fine substantially, and is reportedly hoping a fine of less than £20m will finally be agreed upon.

In November 2016 Tesco Bank was forced to suspend all online transactions after it found that criminals were trying to access customers’ accounts.

Massive fine

The bank revised an initial estimate that 40,000 customers had been affected down to 20,000 and subsequently to 9,000.

Reports indicate that since that time the bank has further revised the figure to fewer than 50 customers, all of whose losses were refunded within days. No customer data was compromised, Tesco Bank has said.

The relatively small number of customers affected adds shock value to the size of the proposed fine, which was first disclosed by Sky News.

The proportion of the fine  would appear to suggest penalties in the hundreds of millions or billions of pounds for a large-scale incident.

The Information Commissioner’s Office (ICO), by contrast, last week fined Equifax a relatively modest £500,000 for exposing the personal data of millions of British individuals to hackers.

That fine, however, was for data losses, and not financial theft, and moreover was the maximum allowed under the data protection laws in place when the hack occurred last year.


The GDPR, which came into force in May, has since instituted much more substantial penalties. The FCA’s investigation into the Equifax breach continues.

At the time of the Tesco Bank hack the FCA described it as “unprecedented in the UK”, while experts said it was the first mass account breach at a western bank.

Data breaches and online banking outages are coming under increasing scrutiny as customers rely increasingly on digital services.

Last week customers at banks including Barclays and Royal Bank of Scotland’s NatWest were locked out of online accounts by technical failures.

The FCA has not yet imposed a substantial penalty for a cyber-theft. It imposed a £42m penalty against RBS in 2014, but that fine was for an IT outage.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

AWS re:Invent Conference Welcomes Back Crowds

Over 27,000 attendees and members of the press (including Silicon) attend Amazon Web Services worldwide…

4 hours ago

Head Of Car Giant Stellantis Issues Electric Vehicle Cost Warning

The car manufacturing industry cannot sustain the costs from government demands to shift to electric…

5 hours ago

SpaceX’s Elon Musk Warns Of Bankruptcy Risk Over Engine Issue

SpaceX CEO Elon Musk warns of “disaster” concerning production of Starship Raptor engine that puts…

7 hours ago

Twitter To Remove Photos Tweeted Without Permission

Privacy overstep? Personal photos and videos of private individuals tweeted without the consent of the…

8 hours ago

Facebook Cryptocurrency Executive David Marcus To Leave

Executive in charge of Meta's cryptocurrency efforts, confirms he is leaving after seven years at…

10 hours ago

NY AG Seeks Overseer For Amazon Worker Safety

New York's attorney general asks US judge to appoint someone who will oversee worker safety…

11 hours ago