This, the first mass cyber security breach of accounts at a western bank, caused Tesco’s financial arm to suspend its online services, eventually shelling out £2.5m in reimbursements to its customers.
Tesco’s banking arm is now facing a record fine from the UK’s financial regulator over the 2016 cyber security breach, with the Financial Conduct Authority (FCA), said to be considering a fine of up to £30m.
Tesco Bank is understood to be in negotiations with the FCA in order to leverage a reduced fine.
Cyber security breach
The bank revised an initial estimate of 40,000 customers having been affected by the cyber security breach, later downgrading this estimate to 20,000 and subsequently to 9,000.
Any losses were refunded within days and Tesco Bank claims that no customer data was compromised.
The relatively small number of customers affected adds shock value to the size of the proposed fine, which was first disclosed by Sky News.
The size of this fine would appear to suggest penalties reaching into the hundreds of millions, or even billions of pounds, for a larger-scale incident.
By contrast, the Information Commissioner’s Office (ICO), recently fined Equifax £500,000 for exposing the personal data of millions of British individuals to hackers, although analysts have stated that this was for data losses, not financial theft, and was also the maximum allowed under the data protection laws in place at the time.