Tesco Bank fined £16.4 million by FCA for 2016 data breach
2 October 2018
The UK’s Financial Conduct Authority (FCA) has issued a fine of £16,400,000 to Tesco Bank for failing to prevent a data breach in November 2016 that resulted in the loss of £2.26 million of customers’ money.
The financial watchdog said in a statement that deficiencies in Tesco Bank’s design of its debit card, in its financial crime controls, and in its Financial Crime Operations Team as well as a series of errors committed by the bank after the breach was detected resulted in customers losing millions.
The FCA initially proposed a fine of £23,428,500 on Tesco Bank for the aforementioned failures, but the bank’s willingness to settle at an early stage of the Authority’s investigation qualified it for a 30 percent discount, thereby limiting the fine to £16.4 million.
Glaring lapses in crisis management by Tesco Bank staff
The incident took place on Saturday, November 5th, when hackers targeted Tesco Bank’s IT infrastructure and started making Contactless MSD transactions on which there are no limits in terms of the number of transactions or the value of each transaction. The FCA noted that since the hackers succeeded in transferring money from customer accounts to their own, it is clear that they were able to obtain authentic Tesco Bank debit card “PAN” numbers.
Even though Tesco’s automated fraud analysis and detection system detected the breach and the unauthorised transactions, poor handling of the situation by Tesco’s Bank’s Financial Crime Operations Team significantly delayed an adequate response by the bank. According to the FCA, the Financial Crime Operations Team took 21 hours to make contact with Tesco Bank’s Fraud Strategy Team, thereby allowing the attackers to continue with their attacks and steal millions of pounds.
Once it was informed, the Fraud Strategy Team put a rule in place to block all unauthorised transactions which were being carried out from Brazil. However, the rule had no effect on the hackers’ operations as the team erroneously used the Euro currency code instead of Brazil’s country code. Since the rule’s implementation was not being monitored from the outset, it took the team four hours to identify the error. In the meantime, as many as 80,000 fraudulent transactions had been attempted by Brazilian hackers by 1 AM on 7th November.
The fraudulent operation was ultimately stopped at 3:35AM on 7th November, but by that time, it had affected 8,261 out of 131,000 Tesco Bank personal current accounts. However, a series of steps taken by Tesco Bank, such as not allowing the debited amount to reflect on customers’ accounts, refunding fees, interests, and charges to customers, and payment of compensation to distressed customers, reduced the impact of the breach to a large extent.
Even though multiple errors committed by Tesco Bank’s Financial Crime Operations and Fraud Strategy teams led to the bank’s failure to stop the fraud as soon as it was detected, the FCA noted that the bank’s senior management acted responsibly and efficiently to mitigate the effects of the breach.
“Once it was alerted to the incident on Sunday, 6 November 2016 at 15:00, Tesco Bank’s senior management analysed the situation and took immediate action. At 23:30 on Sunday, 6 November 2016, it decided to block all online transactions and contactless transactions for debit cards, excluding Chip & PIN, ATM and online banking.
“Senior managements’ actions stopped the fraudulent transactions. They updated customers regularly and deployed significant resources to return customers to their previous financial position,” it said.
Despite taking such actions, the FCA ruled that Tesco Bank was still liable to face regulatory action for several reasons. Firstly, the Financial Crime Operations Team emailed an in-box instead of telephoning the on-call Fraud Strategy Analyst after it detected the breach. Secondly, the Customer Operations Incident Management Rota contained an incorrect telephone number which delayed Tesco Bank from reaching the on-call fraud analyst. Thirdly, Tesco Bank’s employees failed to accurately follow crisis management procedures and fourthly, coding errors by the Fraud Strategy Team allowed hackers to continue with their operation.
The FCA concluded that because of such errors, the breach caused inconvenience and distress to a large proportion of Tesco Bank’s debit card customers, resulted in 668 unpaid direct debits on customers’ accounts, stopped customers from carrying out their banking activities for over 48 hours, and also resulted in hackers netting £2.26 million from Tesco Bank’s personal customer accounts.