The Financial Conduct Authority has handed down a massive fine to the supermarket bank following a cyber-attack In November 2016. The attack did not result in any theft or loss of personal customers data, but did lead to 34 transactions where funds were debited from personal accounts and millions were stolen.
Tesco bank is the financial arm of one of the UK’s largest supermarket chains and holds 5.6 million customer bank accounts.
The FCA says that Tesco failed to protect its customers and is holding the bank accountable for its lapse in risk management. This is the first time the FCA has taken enforcement action related to a cyber-attack.
Mark Steward, FCA director of enforcement and market oversight said: “Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place. The standard is one of resilience, reducing the risk of a successful cyber-attack occurring in the first place, not only reacting to an attack”.
He went on to say that the attack was largely avoidable, had the bank been more diligent with the design of its debit cards and financial crime controls.“The attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started,” Mr. Steward said. “This was too little, too late. Customers should not have been exposed to the risk at all.”
The cyber thieves performed 34 transactions through debit cards and disrupted services to a large number of clients. The attack lasted 48 hours and the perpetrators stole £2.26 Million.
The FCA also issued a warning to banks and said that they are ultimately responsible for setting up measures and controls to prevent these types of crimes and, they must implement a responsive plan in the event of a cyber-attack taking place.
Following the attack, Tesco announced they were investing in improving its financial crime systems and the skills of staff who operate them. The bank cooperated fully with the regulators and quickly redressed losses incurred to its clients. The FCA said that, along with a willingness to expedite the settlement, earned Tesco Bank some credit which helped to reduce the penalty from £33.6 million to £16.4 million.
When cyber-attacks occur and customer’s money is stolen from their accounts, it is up to the bank to reimburse the customer, as this was the banks fault. However it is important to remember to keep your bank account information safe too. It can be harder to get your money back from a bank if the bank thinks you did not do enough to protect yourself from this happening in the first place. This has typically been the response from banks, and getting your money back can become a long drawn out process, which often ends up being decided by the Financial Ombudsman Service. The financial regulator then have to assess your claim. The whole process can take months to resolve.
So here are some ways you can protect yourself, and things to look out for:
1. Unsolicited or unexpected contact. If you have received any kind of contact, but particularly a phone call, out of the blue, it is best to avoid it.
2. Email address. If you get an email, expand the pane at the top of the message and see exactly who it has come from. If it is a scam, the email address the message has come from will be filled in with random numbers, or be misspelled.
3. If it sounds too good to be true, it usually is. This is something you normally find with pension or investment scams, where the fraudster guarantees you huge returns, but tells you it is low risk.
4. Personal details, PIN codes and passwords. No legitimate company will ask you for this information.
5. Quick decisions. If you are pushed into making a decision on the spot, be suspicious. Scammers don’t want you to have time to think about it.
6. Random competitions, particularly if you don’t remember entering them, should ring alarm bells.
What to do if you think you have been a victim of a scam?
You can contact Action Fraud by phone: 0300 123 2040. If your bank is refusing to help you, you can contact the Financial Ombudsman service on 0800 023 4567.