FCA fines Tesco Bank £16.4 million for bad cyber-controls
Chris Hamblin, Editor, London, 5 October 2018
The UK's Financial Conduct Authority has imposed a financial penalty on Tesco Personal Finance under s206 Financial Services and Markets Act. Cyber-attackers exploited deficiencies in the design of the bank’s debit card, in its financial crime controls and in its financial crime operations team in November 2016.
Tesco’s shortcomings, according to the regulator, left its personal current account holders vulnerable to a largely avoidable incident that occurred over 48 hours and which netted the fraudsters £2.26 million. No personal data was stolen.
Tesco seems not to have done enough 'penetration testing,' with its financial crime operations team reacting to the first signs that all was not well by emailing the fraud strategy inbox instead of telephoning the fraud analyst, in direct contravention of the bank's internal procedures. The bank, moreover, only became aware of the attack when it realised that one of its units had sent automatic alerts out to customers because customers were calling it up. Their calls soon overwhelmed the hotline and things worsened from there. It took the financial crime operations team 21 hours to talk to the fraud strategy team.
Most of the fraudulent transactions came from Brazil. The attackers were making contactless transactions that relied on magnetic stripe rules that carry identifying information about debit cards. The bank fraud strategy team took nearly 24 hours to put a rule in place to stop the transactions. Even then, the rule was ineffective because the team used the wrong code for Brazil. This slowed the tidal wave of fraudulent transactions to a trickle, but the team were unable to stop the flow entirely. Eventually, the bank hired some external consultants and asked them to step in. It transpired that the trickle of transactions benefited from a coding error that the financial crime operations team made when setting up the code for Brazil in the first place. The whole attack lasted 22 hours because of the bank's blunders, according to the FCA. All in all, the attack affected 8,261 out of 131,000 Tesco Bank personal current accounts.
The FCA's 'principle for business' 2 requires a firm, in intentionally vague terms, to conduct its business with due skill, care and diligence. It is the contravention of this principle that applies here.
The word 'foreseeable' appears seven times in the decision notice, raising the disconcerting possibility that the FCA will always see fit to punish any firm that has not taken precautions against any kind of cyber-attack that has hit the headlines or appeared in IT articles. 'Foreseeability' in this case, according to the FCA, takes the form of counterparties and affilitates telling a bank about a new kind of attack; an article appearing in an IT magazine that the bank does not see; and the bank having sustained at least one attack of this kind previously. All these things applied to Tesco Bank, which received prior warnings about so-called PoS 91 transactions from both Visa and MasterCard, of which it is a member; which failed to spot an article on the subject in Visa Business News in 2014; and which, according to the FCA, "had experienced fraudulent PoS 91 transactions on both its credit cards and debit cards well before the cyber attack."
Tesco Bank performed more smoothly when dealing with customers after the crisis. It set up a "consumer redress programme" which removed pending debits from being posted to accounts, refunded fees, charges and interest to customers, reimbursed customers for the direct consequential losses they incurred, and paid compensation to customers for distress and inconvenience on a case-by-case basis. Only three complaints were referred to the Financial Ombudsman Service and they were all upheld in Tesco’s favour.