£16.4 Million Fine Paid by Tesco Bank for the 2016 Cyber Bank Heis

Tesco Bank, a UK-based financial institution fined for damages due to the 2016 cyber attack, to the tune of £16.4 million. UK’s Financial Conduct Authority has demanded the fine due to the bank’s irresponsibility and lack of sense of obligation towards their customer’s data. Two years ago, in 2016 the bank lost a sum total of £2.26 million in just two days through the threat actor’s use of a forged debit card number.

It was already too late to stop the unauthorized bank transfers, as Tesco Bank only acted one day after the cyber attack. But the bank heist could have been far worse if not stopped, there were an abnormal number of bank transfers that occurred which peaked at 80,000 in just one day, all of which were traced as originating from Brazil.

“The [block] was ineffective because the Fraud Strategy Team erroneously used the Euro currency code instead of Brazil’s country code when it coded the rule designed to block PoS 91 transactions originating in Brazil. Some experienced long call queues and did not always receive the help they needed from Tesco Bank’s call center,” explained FCA.

The bank has hired external security consultants to assist with the background investigation of the issue, but approximately 8261 of its customer accounts were already victimized. “Tesco Bank applied around £9,000 in charges and interest to customers’ accounts and account balance reductions led to 668 unpaid direct debits on customers’ accounts,” added FCA.

Tesco Bank’s CEO, Gerry Mallon is regretting the damage caused by the bank heist, and they paid the fine in order to express their sincere apology for the incident that affected thousands of their customers. “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice. We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologize to our customers for the inconvenience caused in 2016,” explained Mallon.

Banks, especially those operating in the European region should invest in a credible and efficient cyber defense infrastructure. The bank heist predated the full implementation of GDPR, which fully took effect since May 25, 2018.