MoneySavingExpert.com homepage
Cutting your costs, fighting your corner
Founder, Martin Lewis · Editor-in-Chief, Marcus Herbert
Search bar closed.
MSE News

Tesco Bank fined millions over 2016 cyber-attack

hero-banking-online-banking.jpg
Naomi Schraer
Naomi Schraer
News Reporter
30 September 2018

Tesco Bank has been fined £16.4 million by the financial regulator after failing to protect customers from a "largely avoidable" cyber-attack in November 2016.

The Financial Conduct Authority (FCA) said the bank had "failed to exercise due skill, care and diligence" in protecting current-account holders. The incident, which took place over 48 hours and netted the fraudsters some £2.26 million, resulted in the bank suspending all online transfers and debit card payments as a precaution.

The cyber-attack affected 8,261 of the bank's 131,000 personal current accounts, although Tesco now says there were only 34 fraudulent transactions where money left customers' accounts, as all other attempts were successfully blocked.

See our  MSE News story for more info on the cyber-attack, and check our guide for tips on protecting yourself from fraud. 

Why was Tesco Bank fined?

The FCA says that the hack was a "largely avoidable incident", and that fraudsters used weaknesses in the design of Tesco Bank's debit cards, the system it had in place to prevent financial crime and its financial crime operations team to carry out the attack. 

Tesco Bank could have faced a much higher fine of £33.5 million, but received a reduced penalty of £16.4 million because it co-operated with the FCA and compensated affected customers. 

Mark Steward, executive director of enforcement and market oversight at the FCA, said: "The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.

"In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all. 

"Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber-attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated."

What does Tesco say?

Tesco Bank chief executive Gerry Mallon said: "We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers' accounts and we fully accept the FCA's notice. We have significantly enhanced our security measures to ensure that our customers' accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016."

MSE Forum

Tesco Bank fined millions over 2016 cyber-attack

Forum image
MSE Email icon 3 December 2024

For all the latest deals, guides and loopholes simply sign up today - it’s spam free!

Martin: The truth about credit scores
What you should know
Cheap Compare+ Home Insurance
New tool (beta version)
12 must-know consumer rights
So you can shop wisely
Top 5.18% easy-access savings
Full info and options
50p photo card delivered
Cheaper than a stamp!
How much do Xmas lights cost to run?
Energy mythbusting
'Free' £2 crisps
Via cashback
Tools and calculators

Clever ways to calculate your finances

Find your odds of getting top cards
Find your odds for getting a cheap loan
Compare broadband, phone & TV deals
Compares thousands of mortgages
Eight calcs to help you work out the cost
We ensure you’re on the cheapest tariff