Tesco has been fined £16.4m by the Financial Conduct Authority for failing to protect account holders at its bank against a cyberattack that happened in November 2016.
The FCA found Tesco Bank had left itself open to “foreseeable risks” through deficiencies in the design of its debit card and its financial crime controls.
Cyberattackers were able to exploit the vulnerabilities over 48 hours and stole £2.26m, said the FCA on 1 October.
FCA executive director of Enforcement and Market Oversight Mark Steward said: “The attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.”
Bank chief executive Gerry Mallon said: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice. We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection.”
Cyberattacks are being taken more seriously by regulators
The FCA said in a statement that Tesco Bank would have faced a penalty of over £30m, but the regulator gave it credit for stopping “a significant percentage of unauthorised transactions” as well as providing a high level of cooperation.
Tesco Bank initially estimated that 40,000 customers had money stolen in the attack, but finally settled on fewer than 50 and fully compensated the customers whose savings were taken.
But the FCA said that banks had to ensure that their financial crime systems and the people designing and operating them worked to reduce the risk of cyberattacks happening in the first place, “not only reacting to an attack”.
“There will be tougher penalties in the future”
The former head of Barclays Innovation Unit Paul Farrington said: “We commend the FCA for its actions today related to the 2016 Tesco Bank cyberattack. While the vulnerability exploited in this breach is still a common occurrence, it is clear financial penalties for non-compliance and deficiencies will be increasing in the future. The fraud netted cyber attackers £2.26 million in this instance.
“The Tesco attack happened prior to the implementation of new data protection regulations like GDPR, therefore the regulators took appropriate action under the mandate they were able to operate in. This penalty is a reminder of how critical it is that organisations consider their vulnerabilities and limit their exposure to fines. Financial losses due to non-compliance have the potential to outstrip what it would have cost to mitigate against a breach in the first place.
“There will be tougher penalties in the future, and UK businesses must reassess their IT infrastructure and secure their software, web applications and networks to help protect sensitive data and ensure compliance.”
How does GDPR apply?
Tesco said in a statement that the cyberattack “did not involve the theft or loss of any customers’ data, but led to 34 transactions where funds were debited from customers’ accounts, and other customers having normal service disrupted”.
But there is a potential that the vulnerabilities that led to the cyberattacks in November 2016 could have also left the bank open to a data breach.
Under GDPR article 25, data protection is required by design and default in a company’s products and services.
Also, if a subsidiary company fails to comply with the regulation the fines would be calculated based on its corporate parent’s turnover.
If the attacks had happened after May 2018 when GDPR came into effect, Tesco would have faced fines of up to 4% of its annual turnover, which in 2016 would have been around £2bn.