Financial Conduct Authority fines Tesco Bank £16.4m over 2016 security breach

Every little helps: Penalty slashed with 60% discount

The Financial Conduct Authority (FCA) has slapped a £16.4m fine on Tesco Bank for the security vulnerabilities that led to millions of pounds being pilfered from thousands of customers’ online accounts two years ago.

As revealed by us at the time, Tesco called on the National Cyber Security Centre to probe the 5 November 2016 attack that ultimately saw a total of £2.26m stolen from 9,000 customers accounts over 48 hours. Tesco had been forced to suspend online and contactless transactions in the immediate aftermath of the breach as it probed the root cause.

The fine, made public today, is for the bank’s failure to demonstrate “due skill, care and diligence” in safeguarding personal current account holders against infosec nasties, the FCA said.

“The FCA has no tolerance for banks that fail to protect customers from foreseeable risks,” said the FCA’s Mark Steward, exec director of enforcement and market oversight.

“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all,” he added.

Tesco Bank had actually received a fraud alert from Visa in November 2015, roughly a year before the attack, about fraudulent transactions similar to the one that eventually hit its business.

The crooks most likely employed an algorithm that generated authentic debit card numbers, and these "virtual" cards were then used for unauthorised transactions, the FCA said.

The FCA said crooks took advantage of deficiencies in the “design” and “distribution” of Tesco’s debit card, but it also highlighted other failings including the way the bank configured specific authentication and employed fraud detection rules.

For example, Tesco Bank’s financial crime operations team emailed the fraud strategy inbox rather than phoning the on-call Fraud Strategy Team - as internal regs required. So it took the 21 hours for the two teams to make contact and nothing was done in the interim to halt the attack.

The majority of the transactions were made in Brazil and relied on magnetic strip rules, a method known as PoS 91 that is mostly used outside of Europe and carries no limits on the value or number of transactions.

The FCA also castigated Tesco for failing to “take appropriate action to prevent the foreseeable risk of fraud” and for failing to “respond to the… cyber attack with sufficient rigour, skill and urgency”.

Steward at the FCA added:

Banks must ensure that their financial crime systems and the individuals who design and operate them must work to substantially reduce the risk of such attack occurring in the first place,” said Steward.

He said prevention was better than cure, and claimed Tesco had finally boosted its controls with the aim of stopping “this type of incident from being repeated.

The FCA, however, revealed that because Tesco had agreed to settle the incident early, it had qualified for a 30 per cent Stage 1 discount.

Tesco also qualified for another 30 per cent reduction in fines by fully co-operating with the FCA, compensating impacted customers and by halting around 80 per cent of unauthorised transactions before they were processed.

“But for the mitigation credit and the Stage 1 discount, the FCA would have imposed a penalty of £33,562,400.”

Every little helps. ®




Biting the hand that feeds IT © 1998–2018