Tesco Bank fined £16.4m by FCA over 2016 cyber attack

Fine negotiated down from £33.6m for compensating customers quickly and agreeing early settlement with FCA

Tesco Bank has been fined £16.4 million over IT security failings that contributed to the November 2016 cyber attack. The attack enabled thieves to get away with £2.26 million from compromised accounts.

However, the fine, levied by the Financial Conduct Authority (FCA), is well down on the £30 million figure talked about just last week. The FCA suggested that if Tesco Bank had not fully cooperated, speedily compensated out of pocket account holders, and agreed to an early settlement the fine would have been as high as £33,562,400.

The FCA found, in particular, that Tesco Bank had failed to "exercise due skill, care and diligence" in a number of key areas:

• The design and distribution its debit card, by issuing cards with sequential numbers that made numbers, expiry dates and codes easier to predict;
• Configure specific authentication and fraud detection rules;
• Take appropriate action to prevent the foreseeable risk of fraud;
• Respond to the November 2016 cyber attack with sufficient rigour, skill and urgency.

"Cyber security requires resilience. A financial institution's board is ultimately responsible for ensuring that its cyber crime controls are designed to meet standards of resilience. The board must set an appropriate cyber crime risk appetite and ensure that its institution's cyber-crime controls are designed to anticipate and reduce the risk of a successful attack," warned the FCA in a statement.

It continued: "Where an attack is successful, the board should ensure that the bank's response plans are clear, well designed and well-rehearsed and that the bank recovers quickly from the incident."

It added, though, that in the aftermath of the attack, the Bank had put in place a comprehensive redress programme and invested resources into making good some of the vulnerabilities that had been exploited, as well as review its financial crime controls.

"It has made significant improvements both to enhance its financial crime systems and controls and the skills of the individuals who operate them," claimed the FCA.

The attackers focused on Visa debit cards because Visa is the only payment network that does not detect multiple invalid payment requests on the same card, making it easier for hackers to keep firing card expiry date and CVV code guesses at different websites, according to the Financial Times, until they score a hit.

Indeed, a month after the Tesco crack, a research paper from Newcastle University suggested that working out card number, expiry data and the CVV code can take as little as six seconds. "By automatically and systematically generating different variations of the cards security data and firing it at multiple websites, within seconds hackers are able to get a ‘hit' and verify all the necessary security data," suggested financial services website Finextra.