The UK financial watchdog has fined Tesco Bank for failing to protect personal current account holders during a 2016 cyber attack that saw hackers run off with £2.26m

Tesco Bank

Tesco Bank has been handed a £16.4m fine for failing to protect current account holders when it was hit by a cyber-attack two years ago.

UK financial watchdog the Financial Conduct Authority (FCA) lambasted the retail banking firm – stating it did not show skill, care or diligence in protecting personal account holders during the breach in November 2016.

It added the hackers launched their attack by exploiting holes in the design of the bank’s debit cards, its financial crime control and financial crime operations team.

The FCA said the “largely avoidable incident” led to the cyber-attackers bagging £2.26m.

Mark Steward, executive director of enforcement and market oversight at the FCA, said: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.  

“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started.  

“This was too little, too late. Customers should not have been exposed to the risk at all.”

Mr Steward added that Tesco Bank had since strengthened its controls to prevent similar cyber attacks.

The FCA found the bank, owned by supermarket giant Tesco, had not taken appropriate fraud prevention action and failed to meet the watchdog’s standards in its response to the attack.

The bank was found to have swiftly invested serious sums in fixing flaws in its system to repair the faults that put customer accounts at risk, as well as improving the skills of its financial crime teams.


Tesco Bank chief executive: ‘We are very sorry’

Tesco Bank
Tesco Bank chief executive Gerry Mallon apologised for its failures during the 2016 cyber attack (Picture: Tesco Bank)

The financial watchdog gave Tesco Bank a 30% credit mitigation and a further 30% discount on the fine it would have faced because it made efforts to fix its systems and co-operated with the regulator.

Had the retail bank not worked with the FCA following the 2016 cyber-attack, it would have faced a £33.5m fine.

Tesco Bank chief executive Gerry Mallon said: “We are very sorry for the impact that this fraud attack had on our customers.

“Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.

“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”

Picture: Tesco Bank