U.K.’s Tesco Bank fined $21.4 million over cyberbreach
Financial Conduct Authority said the 2016 cyberattack was ‘largely avoidable’
The U.K.’s Financial Conduct Authority issued a £16.4 million ($21.4 million) penalty to Tesco Bank for failing to protect clients from a cyberattack in November 2016.
This is the first time the FCA has taken enforcement action related to a cyberattack, revealing the regulator’s willingness to address lapses of risk management by financial institutions.
“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place,” said Mark Steward, the FCA’s executive director of enforcement and
market oversight.
“The standard is one of resilience, reducing the risk of a successful cyberattack occurring in the first place, not only reacting to an attack,” Mr. Steward said in a statement.
Tesco Bank’s account holders were vulnerable to a 48-hour attack nearly two years ago, in which cybercrooks took £2.26 million ($2.94 million) from debit cards.
The “sophisticated criminal fraud attack” didn’t lead to the compromise of clients’ personal data, Tesco Bank said in a statement Monday. Instead, the swindlers performed 34 transactions through debit cards and disrupted service to a large number of clients.
The FCA said the attack was “largely avoidable” had the bank been more diligent with the design of its debit cards and financial crime controls.
“The attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started,”
Mr. Steward said. “This was too little, too late. Customers should not have been exposed to the risk at all.”
The regulator also emphasized that boards are “ultimately responsible” for setting up measures and controls to prevent a cyberoffensive, and for implementing an adequate plan of response in case an attack is successful.
Following the attack, Tesco Bank invested in improving its financial crime systems and the skills of individuals operating them, said the regulator.
The bank cooperated fully with the regulators and quickly redressed losses incurred to its clients, the FCA said. That, along with a willingness to expedite the settlement, earned Tesco Bank some credit and helped to reduce the penalty from £33.6 million ($43.8 million). Tesco Bank is the financial arm of one of the U.K.’s largest supermarket chains and has 5.6 million client accounts.