Close This website uses modern features that are not supported by your browser. Click here for more information.
Please upgrade to a modern browser to view this website properly. Google Chrome Mozilla Firefox Opera Safari
Financial Services Intelligence Watch
Sub Menu
Search
Close
Enter at least 3 characters

Search

Hold down "Control", or "Command" on a Mac, to select more than one.
Login / Signup
Newsletters
Advanced Search

Search

Filter
Filter
Filter
Filter
A A A

Tesco Bank fined £16.4 million for cyber-security failings

Publish date: 09 November 2018
Issue Number: 47
Diary: CompliNEWS
Category: Enforcement

The UK's Financial Conduct Authority (FCA) announced at the start of November 2018 that it had fined Tesco Bank £16.4 million for a cyber-attack that occurred exactly two years ago.

ReedSmith's article notes that in November 2016, 8,261 personal current accounts at Tesco Bank were compromised. Attackers obtained customers’ debit card details and entered into thousands of unauthorised transactions.

This is the first cyber-attack-related fine to be imposed on a UK bank by the FCA. The fine was reduced from the initial draft penalty of £23.5 million on the basis that Tesco Bank agreed to settle at an early stage, to be cooperative, and to compensate customers.

The FCA set out its findings and enforcement action in its Final Notice dated 1 October 2018.

The fine was issued on the basis that Tesco Bank breached the FCA’s Second Business Principle, which provides that a firm must conduct its business with due skill, care and diligence.

The FCA criticised Tesco Bank, saying that the cyber-attack was 'largely avoidable'. The failings of Tesco Bank to conduct its business with due skill, care and diligence included:

  • issuing debit cards with sequential card numbers, meaning that hackers could more easily work out details of active cards;
  • configuring its authorisation system to check only that a card’s expiry date was in the future, and not that the date was correct;
  • taking action to block the specific type of fraudulent transaction for its credit cards, but failing to do the same for its debit cards; and
  • not responding to the attack with sufficient 'rigour, skill and urgency'.

This is because Tesco Bank ineffectively contacted its fraud strategy team – contrary to procedure, used an incorrect code to block the unauthorised transactions, and failed to monitor the rule’s operation and therefore notice that the code was not working properly. The Final Notice concludes by acknowledging that Tesco Bank’s cyber-crime framework was appropriate but that it was, in fact, individuals within the bank who had failed to exercise the required due skill, care and diligence.

Tesco Bank has since changed its issuing practice and no longer issues cards with sequential card numbers. It has also changed its authorisation system, and now checks that the expiry date is correct.

Back to top
Working Smart

By Lee Rossini

In the world of financial services, technical expertise remains vital – but it’s no longer enough on its own. As markets shift, client expectations rise, and technologies reshape how advice is delivered, financial advisers must increasingly draw on a robust set of soft skills to remain competitive and relevant. Soft skills are no longer 'nice to have' – they are essential for building trust, navigating complexity, and driving long-term success. According to Professor Adam Grant, an organisational psychologist at Wharton, five soft skills stand out as especially critical for the future. These qualities not only support better client outcomes but also foster stronger teams, smarter innovation, and a more resilient business.

CPD

Subscribers are reminded that they can complete monthly CPD quizzes and claim CPD hours before the 31 May 2025 deadline. View the CPD FAQs for more on accessing the CPD quizzes.

We use cookies to give you a personalised experience that suits your online behaviour on our websites. Otherwise, you may click here to learn more, or learn how to block or disable cookies. Disabling cookies might cause you to experience difficulties on our website as some functionality relies on cookie information. You can change your mind at any time by visiting “Cookie Preferences”. Any personal data about you will be used as described in our Privacy Policy.