Tesco Bank facing £30m fine from FCA over 2016 cyber attack

Tesco 'actively negotiating' with Financial Conduct Authority in a bid to slash the size of the proposed fine

Tesco Bank could be fined as much as £30 million over its 2016 cyber attack that compromised the accounts of at least 40,000 of its seven million customers.

The attack in November 2016 is one of the most serious ever on a UK retail bank, with money stolen from 20,000 accounts over one weekend - some customers seeing as much as £2,000 siphoned off.

Tesco Bank shut down online transactions for two days in response and had to pay back around £2.5 million to customers.

On top of that, the Financial Conduct Authority (FCA) is threatening to levy a hefty fine on the Bank of up to £30 million, according to Sky News. This will be the largest penalty it's ever handed out.

This comes after an FCA probe looked into whether Tesco Bank had left its customers exposed to fraud because it had issued sequential debit-card numbers, a practice most lenders avoid as it makes it easier for hackers to guess expiry dates and security codes.

Tesco Bank was also criticised for its response to the attack, with customers' complaining that they were kept on hold for hours and received no communication from the company.

However, Tesco Bank is contesting the scale of the FCA's proposed fine, according to a legal source speaking to Sky News, and is said to be in active negotiations with the watchdog in a bid to lessen the size of its punishment.

A "substantially lower" sum could be agreed within the next few weeks, according to the source.

At the time of the attacks, a data protection lawyer, who asked not to be named, told Computing's that Tesco could be on the hook for a fine of more than £1.9 billion if the compromise had occurred under the EU's General Data Protection Regulations.

At the time of the attack, the Information Commissioner's Office (ICO) confirmed it would also be investigating the company.

"The law requires organisations to have appropriate measures in place to keep people's personal data secure. Where there's a suggestion that hasn't happened, the ICO can investigate and enforce if necessary," it said.