TESCO BANK has been fined £16.4million by the financial watchdog after it failed to protect its current account holders from a cyber-attack in November 2016.
Fraudsters stole £2.26 million during the cyber-attack. Thousands of Tesco Bank customers had their online accounts frozen for up to 48 hours after the attack, the report said on Monday.
Tesco Bank says scammers made 34 transactions and that the fraud did not involve the theft or loss of any customers’ data.
The bank refunded all customers back in November 2016, but the Financial Conduct Authority (FCA) said the cyber-attack a “largely avoidable incident”.
Tesco Bank failed to show due skill, care and diligence when it came to designing and distributing debit cards.
FCA confirms reports made at the time that suggested Tesco Bank issued its Visa debit cards sequentially rather than using randomly generated card numbers. This made it easier for hackers to guess the long numbers on cards.
FCA said Tesco Bank did not take appropriate action to prevent the fraud from happening in the first place.
The retailer also did not respond to the attack with sufficient “rigour, skill and urgency” making a number of blunders in how it dealt with the crisis and taking days to resume normal service.
“Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice. We enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection,” Gerry Mallon, Tesco Bank chief executive, said.
In a separate incident earlier this year, Tesco Bank cancelled thousands of customers’ credit cards after a suspected fraud breach.