A Tesco Bank cyber attack that happened two years ago left customers’ data and money vulnerable. Now the bank has agreed to pay a £16.4m ($20m) for failing to securely protect its banking customers.
The Financial Conduct Authority (FCA) blamed Tesco Bank’s insufficient cyber defences for the breach.
Furthermore, in its final notice, the FCA stated:
“Tesco Bank was the subject of a Cyber Attack in November 2016. The attackers most likely used an algorithm which generated authentic Tesco Bank debit card numbers. Using those virtual cards, they engaged in thousands of unauthorised debit card transactions. The attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack.
“Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the attackers £2.26 million. The attack did not involve the loss or theft of customers’ personal data.”
Tesco Bank cyber attack was avoidable
It seems all too familiar and frequent – another bank, another breach and a lack of security tools fit to cope with the high sophistication of these hacks.
Furthermore, the FCA included in its notice that the Tesco Bank cyber attack was avoidable. It highlighted that the hack exploited vulnerabilities in the design of Tesco Bank’s debit card, its financial crime controls and in its financial crime operations team.
Instead of immediately calling the on-call fraud analyst (which is Tesco Bank procedure), the bank emailed the fraud strategy mailbox.
It took Tesco Bank’s Financial Crime Operations Team 21 hours from the outset of the attack to make contact with Tesco 2 Bank’s Fraud Strategy Tea. Moreover, Tesco Bank had made no attempts to stop the attack. Therefore, avoidable fraudulent transactions multiplied, calls from customers mounted and the attack continued on.
Tesco Bank apology
Tesco bank ensured the regulator that the fraud did not involve the theft or loss of any customers’ data. However, it led to 34 transactions where funds were debited from customers’ accounts, and other customers having normal service disrupted.
Gerry Mallon, chief executive of Tesco Bank commented:
“We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice. We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”
In addition, the Tesco Bank cyber attack highlights a wider issue. Banks are not putting enough investment towards securing a robust platform that can expertly cope with cyber breaches.