The Financial Conduct Authority (FCA) has fined Tesco Personal Finance plc (Tesco Bank) £16,400,000 for failing to exercise due skill, care, and diligence in protecting its personal current account holders against a cyber attack. The cyber attack took place in November 2016, and affected 8,261 personal current accounts at Tesco Bank. The attackers most likely used an algorithm which generated authentic Tesco Bank debit card numbers and, using those “virtual cards”, they engaged in thousands of unauthorised debit card transactions. They exploited deficiencies in Tesco Bank’s debit card design, its financial crime controls and in its Financial Crime Operations Team to carry out the attack. Those deficiencies left Tesco Bank’s personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the cyber attackers £2.26m. The net loss to Tesco Bank was £700,000, and the attack did not involve the loss or theft of customers’ personal data. In November 2016, at the time of the Cyber Attack, Tesco Bank had approximately 7.6 million customer accounts, including approximately 133,101 personal current accounts.
From when the attack started, at 02:00 on Saturday, 5 November 2016, until it was stopped, on Monday, 7 November 2016 at 17:10, Tesco Bank was found to have made a number of internal mistakes, which caused a significant delay in addressing the attack and mitigating the risks to its customers. Only on Wednesday, 9 November 2018 at 08:00, was action by senior management able to stop the fraudulent transactions. Tesco Bank updated customers regularly and deployed significant resources to return customers to their previous financial position. Following the attack Tesco Bank immediately initiated a consumer redress programme in the attempt to limit the effect of the attack on customers, which included actions such as removing pending debits from being posted to customer accounts, refunding fees, charges and interest to customers, reimbursing customers for the direct losses they had incurred, and paying compensation for distress and inconvenience, on a case by case basis. The FCA Final Notice reports that account holders received text messages which were likely to cause distress in the early hours of the morning, suffered embarrassment and inconvenience when they were unable to make payments using their debit cards, whilst others experienced long call queues and did not always receive the help they needed from call centre staff. Only three complaints were referred to the Financial Ombudsman Service and those that were referred were upheld in Tesco Bank’s favour.
In addition, Tesco Bank commissioned independent expert reports on the root cause of the incident and its financial crime controls, and provided these to the Authority, taking prompt steps to examine and revise its processes and procedures consistent with the recommendations in the reports. Tesco Bank also agreed to participate in a symposium to discuss the lessons that it had learned from the attack with banks, other regulators and law enforcement agencies.
The FCA found that Tesco Bank breached Principle 2, that it was vulnerable because individuals failed to exercise due skill, care and diligence when:
Designing and distributing its debit card, which was not meant to be used for contactless transactions but this payment method was still available. The FCA also found that Tesco Bank inadvertently issued debit cards with sequential PAN numbers (the long number on the front of the card), which made it easier for the attackers to find sequences;
- Configuring specific authentication and fraud detection rules, including configuring its fraud analysis management system at account level instead of card level: this meant that debit card transactions for cards that had been replaced were not captured by the fraud analysis system;
- Taking appropriate action to prevent the foreseeable risk of fraud. Visa warned its members, including Tesco Bank, about fraudulent POS transactions occurring in Brazil and the US. Tesco Bank immediately implemented a rule to block these transactions on its credit cards, but failed to make parallel changes to its debit cards. MasterCard sent an email to all its members, including Tesco Bank, on 30 September 2016, warning of another attack suffered in the UK, however Tesco Bank again failed to take any action on debit cards;
- Responding to the November 2016 cyber attack with sufficient rigour, skill, and urgency, including following their own internal written procedures. Crisis management procedures, including the criteria for assessing the seriousness and scale of the incident were documented, however the training materials explaining the stage at which crisis management should be invoked should have been clearer, and the responsible managers should have invoked crisis management procedures earlier.
The external report found that, despite Tesco Bank senior management’s desire to manage financial crime risks, its customer security operating model was behind its peers and “not sustainable”.
Tesco Bank agreed to settle at an early stage of the Authority’s investigation and provided a high level of cooperation to the FCA, therefore qualifying for a 30% discount, without which the penalty would have been of £23,428,571. The FCA recognised that the breach was committed negligently but there was no lack of integrity or good faith.
Following the attack, Tesco Bank immediately put in place a comprehensive redress programme, devoting significant resources to improving the deficiencies that left the bank vulnerable to the attack, and instituted a comprehensive end-to-end review of its financial crime controls. It has made significant improvements to both enhancing its financial crime systems and controls and the skills of the individuals who operate them.
What lessons can be learnt from this case?
This fine shows that the FCA zero-tolerance approach to firms that fail to protect customers from foreseeable and preventable risks. Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA, said: “The attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all. “
A financial institution’s board is ultimately responsible for ensuring that its cyber-crime controls are designed to meet standards of resilience. It must set an appropriate cyber-crime risk appetite and ensure that the firm’s internal controls are designed to anticipate and reduce the risk of a successful attack. Where an attack is successful, the board should ensure that the response plans are clear, well designed and well-rehearsed, so that the institution can recover quickly from the incident. Crisis management is a key element in a cyber-incident response framework, which includes having well documented and periodically tested crisis management procedures, and ensuring that the individuals responsible for implementing crisis management procedures understand them and have the appropriate knowledge and skills to put the right action in place.
The risk of cyber-crime cannot be eliminated, however firms can, and must, take all appropriate steps to mitigate the risks, and ensure that controls are well designed, that the individuals who design and manage those controls understand how they work, and that their crisis management plans are clear and well-rehearsed. Once again the FCA’s approach to these breaches shows that the bar of expectation for firms to conduct their business with care, skill, and due diligence, and to do all they can to protect their customers from adverse impacts, is very high. The costs firms can incur from disregarding this high bar are also significant especially when certain risks can be prevented and mitigated by following the firm’s own internal procedures. Boards and senior managers of financial institutions should reflect on what happened to Tesco Bank and start reviewing whether it could happen to them too.