Britain’s Tesco Bank has been fined £16.4 million ($21.4 million, 18.4 million euros) for failing to protect customers during a 2016 cyber attack, regulators said Monday.
The supermarket’s bank division failed “to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack”, the Financial Conduct Authority said in a statement.
The attackers netted £2.26 million during the 48-hour incident in November 2016, according to the watchdog.
The attack “exploited deficiencies” in the design of Tesco Bank’s debit card, as well as its financial crime controls and financial crime operations team, it said.
Tesco Bank customers were therefore left vulnerable to what the regulator described as a largely avoidable incident.
“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks,” said Mark Steward, FCA executive director of enforcement and market oversight.
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started.
“This was too little, too late. Customers should not have been exposed to the risk at all.”