UK's financial regulator has fined Tesco Bank £16.4m for the data breach that occurred back in late 2016.
According to the Financial Conduct Authority's (FCA) official statement, Tesco Bank is being fined “because it failed to exercise due skill, care and diligence.”
The statement also claims the cyber breach was preventable, and that the bank could have prevented it if it had exercised “sufficient rigour, skill and urgency”.
The attackers stole £2.26m, a sum which the bank refunded to the victims, with a complementary ‘we’re sorry’ message.
Mark Steward, executive director of enforcement and market oversight at the FCA, said the regulator has zero tolerance for the type of behaviour the bank had shown.
"The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks," he said. "In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all."
Tesco Bank said the attack was a ‘sophisticated criminal fraud’.
Jake Moore, cyber security expert at ESET UK said banks needed to ‘show the public they are resilient to attacks’, to make sure their customers’ balances are safe.
“Unfortunately, a cyber-attack on a bank will not only weaken customer confidence in this particular bank but all online banks in general. This is a huge fine for a cyber-attack but it has also been placed to reduce this type of attack from reoccurring,” he said.
“Companies, and especially banks, understand that personal details, or in this case customer’s money, can be stolen in seconds but take years to rebuild in customer trust. This was a calculated attack, so being open with the FCA from the start not only reduced the amount stolen from escalating, but it also reduced the size of the fine thereafter.”
Image source: Shutterstock/Ai825