Tesco Bank facing massive fine over cyber-related fraud

UK regulators said to be considering a fine as high as £30m for the 2016 incident

While customers affected by the cyber-related fraud were initially estimated to be as high as 50,000, the final tally stood at just 50. Photograph: Nick Ansell/PA Wire
While customers affected by the cyber-related fraud were initially estimated to be as high as 50,000, the final tally stood at just 50. Photograph: Nick Ansell/PA Wire

Tesco is in line to face the biggest fine on record from the UK financial watchdog for a cyber-related fraud.

The Financial Conduct Authority (FCA) and Tesco’s banking arm are locked in negotiations over a penalty for the incident that took place in late 2016, with regulators considering a fine as high as £30 million, according to people familiar with the situation.

But Tesco Bank is hoping the matter will be resolved with a fine of under £20 million, another person familiar with the discussions told the Financial Times. It is typical for the FCA and a company to negotiate an eventual penalty even in a case where the company under investigation accepts the regulator's findings of fact.

A sustained cyberattack on Tesco Bank in November 2016 forced the company to repay £2.5 million of losses to 9,000 customers in a heist described at the time as “unprecedented” by regulators. The FCA looked into whether Tesco Bank had left its customers exposed to fraud because it had issued sequential debit-card numbers, a practice most lenders avoid.

READ SOME MORE

While customers affected were initially estimated to be as high as 50,000, the final tally stood at just 50. The financial offshoot of the UK’s largest supermarket group has insisted that no customer data was lost and none of its systems were breached in the “highly sophisticated attack”.

IT failures

Both the FCA and Tesco Bank declined to comment. Sky News first reported the penalty negotiations.

The negotiations come as banks are increasingly under scrutiny for IT failures and cyber attacks. Last week, millions of customers were locked out of their online accounts after both Barclays and Royal Bank of Scotland's NatWest suffered IT outages.

But the FCA has yet to substantially fine a company for a cyber-related incident. It hit RBS with a £42 million penalty in 2014 but that was over an IT outage rather than a cyberattack. The information commissioner last week fined Equifax £500,000 over a massive data breach – the maximum allowable under old data protection laws. However, that was for the loss of personal information rather than account holders’ money. The FCA’s investigation into Equifax is ongoing.

It is not clear if the ICO is also investigating Tesco Bank over the 2016 incident.

- Copyright The Financial Times Ltd