On 1 October, the Financial Conduct Authority (FCA) announced that its penalty responded to a November 2016 security incident at Tesco Bank. Digital attackers abused weaknesses in the British retail bank’s design of its debit card, its financial crime controls and its Financial Crime Operations Team at the time to conduct thousands of unauthorized debit card transactions. The event lasted 48 hours and netted a total of £2.26 million for those responsible.
The controls implemented by Tesco Bank stopped 80 percent of the unauthorized transactions. Even so, the attack overall affected 8,261 out of its 131,000 personal current account holders. Some of these customers weren’t able to use their debit cards to make payments, while others experienced long wait times when they attempted to call the British retail bank to report the issues.
Following the attack, Tesco Bank initiated a program to limit the attack’s effects on customers. Part of this initiative involved refunding customers for charges, fees and interest. It also compensated some customers for the distress and inconvenience they endured.
Tesco Bank Chief Executive Gerry Mallon apologized to customers for the security incident and said the organization has taken steps to prevent similar attacks from occurring in the future. As quoted by Investigate:
>We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice. We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.
Customers of Tesco bank can learn how they can do their part to protect their online banking information by clicking here. At the same time, it’s essential that institutions like Tesco Bank have measures in place to protect their financial systems, maintain availability and automate compliance. Learn how Tripwire can help.