Tesco Bank Hit With £16 Million Fine Over Debit Card FraudUK's Financial Conduct Authority Slams Bank for Series of Avoidable Errors
Scotland-based Tesco Bank has been hit with a £16.4 million ($21.3 million) fine by the U.K.'s Financial Conduct Authority for failing to proactively deal with "foreseeable risks" that led to hackers executing a successful online attack campaign.
The attacks, in November 2016, lasted for 48 hours and led to hackers stealing £2.26 million ($2.93 million), says the Financial Conduct Authority, the U.K.'s financial regulatory body that operates independently of the U.K. government.
The FCA says that Tesco Bank violated Principle 2 of the standards that regulated financial firms must follow. "Principle 2 requires a firm to conduct its business with due skill, care and diligence," it says.
The fine against Tesco Bank was announced by the FCA on Monday.
"The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks," says Mark Steward, the FCA's executive director of enforcement and market oversight, in a statement. "In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all."
Gerry Mallon, CEO of Tesco Bank, says in response to the sanctions: "We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers' accounts, and we fully accept the FCA's notice. We have significantly enhanced our security measures to ensure that our customers' accounts have the highest levels of protection. I apologize to our customers for the inconvenience caused in 2016."
Tesco Bank could have been hit with an even larger fine. But the FCA says that Tesco Bank's high level of cooperation with investigators, quickly bringing in third-party investigators to conduct a "root cause analysis" of the attack, as well as its launching of "a comprehensive, end-to-end review of its financial crime controls and debit card payments systems to identify and ameliorate the deficiencies which made it vulnerable to the attack" helped it avoid steeper penalties.
Hackers Struck During Weekend
The 2016 attack against Tesco Bank, which occurred over a weekend, resulted in funds being drained directly from the accounts of 20,000 of the Edinburgh-based institution's customers. As a "precautionary measure," the bank temporarily halted all online transactions from current - aka checking - accounts for its customers (see Tesco Bank Confirms Massive Account Fraud).
The FCA's report into the breach says the attack appeared to originate largely from Brazil and used the payment card method known as "PoS 91," which "is an industry code which indicated that the attackers were making contactless MSD transactions - transactions which rely on magnetic stripe rules which carry identifying information about the debit card."
"PoS 91 is used predominately outside of Europe and has no limits in terms of the value or the number of transactions," the FCA notes. "The fact that some of the transactions were successful suggested that the attackers may have obtained authentic Tesco Bank debit card 'PAN' numbers - the long numbers across the front of debit cards - to make the transactions."
The FCA says that Tesco's fraud team spotted the attacks and attempted to block the attempted fraud by putting in place rules to reject the Brazilian transactions. Later, however, the FCA reports that Tesco Bank found that the rules weren't effective, due a "coding error" made by the bank's financial crime operations team.
In the meantime, the attacks had reached a peak volume of 80,000 fraudulent transactions, the FCA reports. "Although Tesco Bank's controls stopped almost 80 percent of the unauthorized transactions, the cyberattack affected 8,261 out of 131,000 Tesco Bank personal current accounts," the FCA says. Due to accounts that subsequently had too little funds to complete transactions, the bank slapped a total of about £9,000 ($12,000) in charges on drained accounts, plus interest, while 668 direct debits on customers' accounts went unpaid, it says.
Visa Alert: PoS 91
The FCA notes that Tesco Bank never intended that its debit cards should be compatible with Pos 91. In addition, it notes that the bank inadvertently issued debit cards with sequential PAN numbers - making the numbers easier for attackers to guess - and also failed to fully act on an alert from Visa that arrived before the attacks began.
"Visa warned its members, including Tesco Bank, about fraudulent PoS 91 transactions occurring in Brazil and the U.S.," the FCA says. "Tesco Bank immediately implemented a rule to block these transactions on its credit cards, but failed to make parallel changes to its debit cards."
Following the attack, the bank launched a "consumer redress program and tried to limit the effect of the attack on customers," the FCA says. That included refunding "fees, charges and interest to customers," as well as reimbursing customers for all direct losses they incurred and paying "compensation to some customers for distress and inconvenience" and "compensation for consequential losses" - aka special damages arising from a party's failure to honor a contractual obligation - "on a case-by-case basis."
Senior Management Acted Quickly
Also in Tesco Bank's favor, the organization reacted relatively quickly to the breach once senior managers were finally informed.
"The FCA recognized in the notice that, once senior management was aware, Tesco Bank responded quickly to stop the fraudulent transactions, updating customers regularly and deploying significant resources to return customers to their previous financial position," Tesco Bank says in a statement.
But the FCA's investigation found that Tesco Bank could have reacted more quickly if it hadn't made multiple mistakes. "Through a series of errors, which included Tesco Bank's financial crime operations team emailing the fraud strategy inbox instead of telephoning the on-call fraud analyst (as Tesco Bank's procedures required), it took Tesco Bank's financial crime operations team 21 hours from the outset of the attack to make contact with Tesco Bank's fraud strategy team, a specialist group in the financial crime operations team," the FCA says. "In the meantime, nothing had been done to stop the attack, the fraudulent transactions multiplied, calls from customers mounted and the attack continued."
Takeaway: Be Resilient
The FCA says the Tesco Bank breach stands as a cautionary tale for how not to prepare for a hack attack.
"Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place," the FCA's Steward says.
"The standard is one of resilience, reducing the risk of a successful cyber attack occurring in the first place, not only reacting to an attack," he adds. "Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated."