FCA fines Tesco Bank for failing to prevent cyber attack

FCA has fined Tesco Personal Finance plc £16,400,000. It found the bank failed to exercise due skill, care and diligence in protecting its PCA holders against a cyber attack that took place in November 2016.  As a result, it breached Principle 2 by failing to act with due skill, care and diligence.

When the cyber attack occurred, it seems the attackers used an algorithm that generated authentic debit card numbers and used them to engage in unauthorised card transactions.  The attack did not involve loss or theft of personal data. The incident took place over 48 hours and the attackers amassed £2.26m.

The bank became aware of the attack when its system started to ask customers to call about suspicious activity, but a series of errors meant that the bank’s financial crime operation team did not contact the fraud strategy team for 21 hours, during which time nothing was done to stop the attack, which continued. The fraud strategy team identified the primary channel and source of the attack and put in place a rule to block the transactions, but failed to monitor it – and in fact the rule was ineffective because of a mistake in it.  The bank put right the mistake, but residual transactions continued. It called in experts, who uncovered another coding error in the bank’s original system.

Once senior management became aware of the incident, it took immediate action by blocking certain transactions, and this had the effect of stopping the fraudulent transactions. Senior management updated customers regularly and did much to return them to their previous financial position.

FCA said the bank had failed to protect customers from “foreseeable risks”. It had had a very specific warning that it did not address until it was too late. The cyber attack was able to take place because the bank did not exercise sufficient skill, care and diligence in:

  • the design and distribution of its debit card: it never intended the cards to be used for contactless MSD transactions, yet allowed that use. It also issued cards with sequential numbers, which made it easier for fraudsters;
  • configuring authentication and fraud detection rules: the system did not require checking the exact date of card expiration and the fraud analysis management system was set at account level and not card level, so that cards that had been replaced did not go through the system;
  • taking appropriate action to prevent the foreseeable risk of fraud: Visa and MasterCard had warned members about this particular risk, but the bank took action only to block the transactions on its credit cards, not its debit cards; and
  • responding to the attack with enough rigour, skill and urgency: exemplified by the failures to alert the correct teams in the right way, the coding errors and the lack of monitoring, together with unclear guidance on when to invoke crisis management procedures.

FCA found that, although the bank’s controls stopped around 80% of the unauthorised transactions, the attach affected over 8,000 accounts – and the customers who were affected received texts in the middle of the night, faced embarrassment when unable to use their cards and long queues when calling the bank for help. The charges and interest the bank applied led to many unpaid direct debits.

The bank provided a high level of cooperation to FCA and that, together with a redress programme that was comprehensive and fully compensated customers, and the fact that it stopped a significant percentage of unauthorised transactions, meant that what would have been a fine of over £33 million was reduced by 30% for mitigation credit and a 30% discount for early settlement. FCA commented that the bank independently commissioned expert reports, which it acted upon. It accepted responsibility for the incident and agreed to participate in a symposium to discuss the lessons it learned.

We’ve also written a longer article on this fine.