Tesco’s banking arm Tesco Bank has been slapped with a £16.4m fine by the financial regulator after it failed to protect its current account holders from a cyber attack in November 2016.
The Financial Conduct Authority (FCA) said the bank had failed to show “due skill, care and diligence” in protecting its personal current account holders.
The attack had led to 34 transactions where funds were taken from customers’ accounts. The bank refunded all customers back in November 2016, but the FCA has now damningly called the cyber attack a “largely avoidable incident”.
Mark Steward, executive director of enforcement and market oversight at the FCA, said: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started.
“This was too little, too late. Customers should not have been exposed to the risk at all.”
Gerry Mallon, Tesco Bank chief executive, added: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.
“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection.”