Skip to main content

Tesco Bank fined £16m over 2016 data breach

(Image credit: Image source: Shutterstock/Ai825)

UK's financial regulator has fined Tesco Bank £16.4m for the data breach that occurred back in late 2016. 

According to the Financial Conduct Authority's (FCA) official statement (opens in new tab), Tesco Bank is being fined “because it failed to exercise due skill, care and diligence.”

The statement also claims the cyber breach was preventable, and that the bank could have prevented it if it had exercised “sufficient rigour, skill and urgency”.

The attackers stole £2.26m, a sum which the bank refunded to the victims, with a complementary ‘we’re sorry’ message.

Mark Steward, executive director of enforcement and market oversight at the FCA, said the regulator has zero tolerance for the type of behaviour the bank had shown.

"The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks," he said. "In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all."

Tesco Bank said the attack was a ‘sophisticated criminal fraud’.

Jake Moore, cyber security expert at ESET UK said banks needed to ‘show the public they are resilient to attacks’, to make sure their customers’ balances are safe.

“Unfortunately, a cyber-attack on a bank will not only weaken customer confidence in this particular bank but all online banks in general. This is a huge fine for a cyber-attack but it has also been placed to reduce this type of attack from reoccurring,” he said.

“Companies, and especially banks, understand that personal details, or in this case customer’s money, can be stolen in seconds but take years to rebuild in customer trust. This was a calculated attack, so being open with the FCA from the start not only reduced the amount stolen from escalating, but it also reduced the size of the fine thereafter.”

Image source: Shutterstock/Ai825

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.