LONDON, Oct 1 (Reuters) - Britain’s markets watchdog has fined Tesco 16.4 million pounds ($21.4 million) for failing to protect account holders at its bank from a “forseeable” cyber attack two years ago.
The Financial Conduct Authority said that in November 2016 cyber attackers exploited deficiencies in Tesco Bank’s design of its debit card and in its financial crime controls.
“Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers 2.26 million pounds,” the FCA said in a statement on Monday.
Separately, Tesco said it fully accepted the FCA’s findings and agreed to a settlement of 16.4 million pounds.
“The FCA recognised... that, once senior management were aware, Tesco Bank responded quickly to stop the fraudulent transactions, updating customers regularly and deploying significant resources to return customers to their previous financial position,” the supermarket group said.
Tesco apologised to its customers and said it has significantly enhanced its security measures.
Mark Steward, the FCA’s executive director for enforcement, said the size of the fine reflected the watchdog’s “no tolerance” policy for banks that failed to protect customers from foreseeable risks.
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started,” Steward said.
“This was too little, too late. Customers should not have been exposed to the risk at all.” ($1 = 0.7668 pounds) (Reporting by Huw Jones Editing by Alexander Smith)