Tesco Bank has been fined £16.4 million by the UK’s financial watchdog following a cyber-attack in 2016.
The bank agreed the settlement for “failing to exercise due skill, care and diligence in protecting its personal current account holders”.
In November 2016, attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its financial crime operations team to carry out the attack.
Current account holders were left vulnerable to “a largely avoidable incident” that occurred over 48 hours and which netted the cyber attackers £2.26 million, the Financial Conduct Authority (FCA) said.
“We are very sorry for the impact that this fraud attack had on our customers,” said Tesco Bank’s chief executive officer Gerry Mallon.
“Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.”
Mallon stressed that Tesco Bank has since “significantly enhanced” its security measures.
Mark Steward, executive director for enforcement and market oversight at the FCA, said the fine reflects the fact that the FCA “has no tolerance for banks that fail to protect customers from foreseeable risks”.
He added: “In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started.
“This was too little, too late. Customers should not have been exposed to the risk at all.”
Tesco Bank qualified for a 30 per cent discount in return for an early settlement.