A Tesco Bank cyber attack that happened two years ago left customers’ data and money vulnerable. Now the bank has agreed to pay a £16.4m ($20m) for failing to securely protect its banking customers.

The Financial Conduct Authority (FCA) blamed Tesco Bank’s insufficient cyber defences for the breach.

Go deeper with GlobalData

Premium Insights

The gold standard of business intelligence.

Find out more

Furthermore, in its final notice, the FCA stated:

“Tesco Bank was the subject of a Cyber Attack in November 2016. The attackers most likely used an algorithm which generated authentic Tesco Bank debit card numbers. Using those virtual cards, they engaged in thousands of unauthorised debit card transactions. The attackers exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack.

“Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the attackers £2.26 million. The attack did not involve the loss or theft of customers’ personal data.”

Tesco Bank cyber attack was avoidable

It seems all too familiar and frequent – another bank, another breach and a lack of security tools fit to cope with the high sophistication of these hacks.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Furthermore, the FCA included in its notice that the Tesco Bank cyber attack was avoidable. It highlighted that the hack exploited vulnerabilities in the design of Tesco Bank’s debit card, its financial crime controls and in its financial crime operations team.

Instead of immediately calling the on-call fraud analyst (which is Tesco Bank procedure), the bank emailed the fraud strategy mailbox.

It took Tesco Bank’s Financial Crime Operations Team 21 hours from the outset of the attack to make contact with Tesco 2 Bank’s Fraud Strategy Tea. Moreover, Tesco Bank had made no attempts to stop the attack. Therefore, avoidable fraudulent transactions multiplied, calls from customers mounted and the attack continued on.

Tesco Bank apology

Tesco bank ensured the regulator that the fraud did not involve the theft or loss of any customers’ data. However, it led to 34 transactions where funds were debited from customers’ accounts, and other customers having normal service disrupted.

Gerry Mallon, chief executive of Tesco Bank commented:

“We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice. We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”

In addition, the Tesco Bank cyber attack highlights a wider issue. Banks are not putting enough investment towards securing a robust platform that can expertly cope with cyber breaches.