The attackers netted £2.26m from the attack in November 2016

The FCA has fined Tesco Bank £16.4m for its handling of a November 2016 cyber attack.

The FCA ruled Tesco Bank, which has an insurance arm offering home, motor, travel and pet policies, failed to exercise “due skill, care and diligence” in protecting personal current account holders against the attack.

The attackers netted £2.26m from the 48-hour incident, which the FCA described as “largely avoidable”. Funds were fraudulently debited from 34 customers’ accounts in this time.

Mark Steward, executive director of enforcement and market oversight at the FCA, said: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. 

“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. 

“This was too little, too late. Customers should not have been exposed to the risk at all.”


The attackers exploited deficiencies in its debit card, financial crime controls and its financial crime operations team to launch the attack.

“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place,” Steward added.

“The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.”

Tesco Bank accepted the fine, and apologised for the disruption caused in 2016. It stressed that no customer data was stolen or lost as a result of the attack.

Commenting on the FCA’s notice, Gerry Mallon, Tesco Bank chief executive, said: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.

“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”

Cyber take-up

Mark Brenlund, partner at Weightmans LLP, said the size of the fine to Tesco Bank for an incident involving a relatively small number of customers indicated how seriously the FCA is taking cyber attacks.

He said this should be a major concern for the financial sector and all businesses that handle large amounts of customer data.

Brenlund added: “This is likely to lead to further acknowledgment by the public of the importance of data which is bound to lead to a rise in claims following a breach.

”Consequently we are likely to experience a step change in the take-up of cyber insurance policies by businesses, as they seek protection from the fall out of increasingly common cyber attacks.

“Now is the time for businesses to stress test their I.T. system and security processes failing which the likelihood of a successful attack will increase meaning, if such an event occurred, so too would the cost of insurance coverage.”