The regulator said the cyber attack was ‘largely avoidable’ and allowed hackers to steal £2.25m from account holders.
Tesco Bank has been fined over £16m for failures which allowed those responsible for the cyber attack to steal £2.26m from customers in a hacking incident which occurred over a 2-day period back in November 2016.
The Financial Conduct Authority (FCA) said Tesco Bank had failed to “exercise due skill, care and diligence” in protecting their current account holders from a cyber attack which was “largely avoidable”.
The FCA said it is believed the cyber attackers most likely used an algorithm that generated authentic Tesco Bank debit card numbers and, using those virtual cards, they engaged in thousands of unauthorised debit card transactions.
More than £2m was stolen from the accounts of 9,000 customers and 40,000 accounts were compromised in total. After discovering the attack, Tesco Bank moved to temporarily suspend online transactions of all of its 136,000 account holders, leaving many customers unable to pay their bills.
Hackers were able to carry out the cyber attack by exploiting security vulnerabilities in Tesco Bank’s design of its debit card, its financial crime controls and its Financial Crime Operations Team.
These errors included how its debit cards were not designed for contactless transactions but could still be used for them, and how Tesco Bank’s authorisation system only checked whether the debit card expired on a date in the future, as opposed to an exact day.