Failure to take "due skill, care and diligence in protecting its personal current account holders against a cyber attack" has earned Tesco Bank a £16.4 million fine from the Financial Conduct Authority (FCA).
The financial penalty is in relation to a data breach in November 2016 which affected up to 9,000 customers and resulted in losses to the bank of £2.26 million.
The FCA said that Tesco Bank avoided a much higher penalty of £33 million because it provided a high level of cooperation to the investigation and took immediate steps to fix vulnerabilities. It also qualified for a 30 percent discount for agreeing to settle at an early stage in the investigation.
In its investigation, the FCA identified deficiencies in the design of Tesco’s debit cards, its financial control systems and its Financial Crime Operations Team which left account holders "vulnerable to a largely avoidable incident".
It said that Tesco Bank had breached principle 2 of the FCA code because it failed to exercise due care, skill and diligence in:
The design and distribution of its debit card
The configuration of specific authentication and fraud detection rules
Preventing foreseeable fraud risk
Responding to the attack with sufficient rigour, skill and urgency.
It was reported at the time that Tesco Bank had ignored warnings from Visa that its systems were at risk.
Customers were left without access to funds to pay bills. The BBC quoted Alan Baxter from Berwick-upon-Tweed who said £600 was taken from his account, leaving him with just £21.88 in the bank. The bank offered him just £25 in emergency money as a goodwill gesture. Another customer who had just £2 left in his account said he finally got through to customer service only to be told that it would be 48 hours before he would regain access to his funds.
Tesco Bank said at the time that all customers who had suffered losses had been refunded.
Mark Steward, executive director of enforcement and market oversight at the FCA, said: "The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.
"Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated."
Ross Brewer, a vice president at LogRhythm, said: "This fine is a reflection of how serious and stringent today’s regulators are when it comes to data protection. In this case, the cyber criminals may have managed to steal £2.26m, but Tesco has come off much worse after being hit with a £16.4m fine. What’s frustrating is that this attack could have easily been avoided. Tesco did not address its defences or vulnerabilities until after the breach had taken place, making it too little too late – something I’m sure the company is regretting right now.
"Businesses have to take lessons from these breaches. Tesco is a big enough company that should survive a fine this high, but not every company will be in the same position. Attacks on retailers and banks no longer surprise anyone, but what is still incomprehensible is that so many of these companies are failing to identify threats from the offset."
Mark Brenlund, partner at law firm Weightman’s, said the FCA fine raised the prospect of larger fines from the Information Commissioner’s Office (ICO) in future. "Alarm bells should also be ringing in the boardrooms of any business which handles large volumes of customer data, not just those in the financial services sector. A fine of this level will raise the bar for the Information Commissioner’s Office, too, adding pressure for it to respond with similar strength to future data breaches," he said.