FCA fines Tesco Bank £16.4m over 2016 cyber attack
2.10.2018 securityaffairs Attack
Tesco Bank agreed to pay £16.4m as part of a settlement with the Financial Conduct Authority following the 2016 security breach.
The Financial Conduct Authority (FCA) has assigned a £16.4m fine to Tesco Bank for the vulnerabilities in its systems that were exploited by hackers to steal millions of pounds from customers’ online accounts in 2016.
In November 2016, Tesco Bank halted all online transactions after a cyber heist affected thousands of its customers. An investigation is ongoing.
The measure was announced by the chief executive Benny Higgins, at the time the bank admitted that 40,000 of 136,000 current banking customers had their accounts hacked, and 50 percent of them have lost money.
According to the financial institution, hackers stole £2.26m from 9,000 customers accounts for over 48 hours. Most of the transactions were made in Brazil and relied on magnetic strip rules.
The bank was fined because it was not able to demonstrate “due skill, care and diligence” in protecting customers’ accounts from cyber attacks.
“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.” said Mark Steward, the executive director of enforcement and market oversight at the FCA.
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all. Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.”
“The standard is one of resilience, reducing the risk of a successful cyber-attack occurring in the first place, not only reacting to an attack.”
Tesco Bank was alerted by Visa one year before the cyber attack, but failed to apply the necessary countermeasures.
According to the FCA, Tesco Bank breached Principle 2 because it failed to exercise due skill, care and diligence to:
Design and distribute its debit card.
Configure specific authentication and fraud detection rules.
Take appropriate action to prevent the foreseeable risk of fraud.
Respond to the November 2016 cyber attack with sufficient rigour, skill and urgency.
According to the FCA, hackers used an algorithm to generate valid debit card numbers that were involved in fraudulent transactions.
Tesco Bank provided all the necessary support to the FCA and fully compensated customers, it was also able to halt a significant percentage of unauthorized transactions.
The efforts of the bank in limiting the exposure of its customers in post-incident were praised by the FCA granted the bank 30% credit for mitigation. Tesco Bank also agreed to an early settlement which qualified it for a 30% (Stage 1) discount under the FCA’s executive settlement procedure
“Tesco Bank provided a high level of cooperation to the FCA. Through a combination of this level of cooperation, its comprehensive redress programme which fully compensated customers, and in acknowledgment that it stopped a significant percentage of unauthorised transactions, the FCA granted the bank 30% credit for mitigation.” continues the FCA.
“In addition, Tesco Bank agreed to an early settlement of this matter which qualified for a 30% (Stage 1) discount under the FCA’s executive settlement procedure. But for the mitigation credit and the Stage 1 discount, the FCA would have imposed a penalty of £33,562,400.”