Tesco Bank Hack 2016 Update: Bank Fined £16.4m; Details Revealed

Back in 2016, Britain’s Tesco Bank became a victim of a major cyber attack. At that time, bank authorities did not reveal many details about the incident. we only learned that there was a massive impact on its customerbase of 136,000. After almost 2 years, and ongoing investigations/legal proceedings details have finally been revealed.

Tesco Bank Hack 2016 – A Quick Recap

In November 2016, Tesco Bank in the UK suffered a major cyber attack affecting the customerbase consisting of 136,000 accounts. As reported, the bank observed suspicious activity over the weekend affecting around 40,000 accounts. Further investigations revealed the attackers allegedly stole around £2.5 million from 9000 customer accounts.

The attack compelled the bank to take down its services temporarily and freeze the affected accounts. Later on, services were resumed and the bank reimbursed customers facing financial losses from the attack. Nonetheless, we couldn’t learn any technical details regarding the incident, nor did the bank explicitly explain anything. However, the investigations remained in progress.

Details 2018 – How Did The Hack Happen?

After almost 2 years from the incident, the investigations have now revealed detailed information about the Bank’s 2016 hack. This week, we came to know about details of the notices by the Financial Conduct Authority (FCA). According to their report, the attackers succeeded in exploiting vulnerabilities in the Bank’s debit card design. The bank also had weaknesses in its financial crime control and financial crime operations team. Consequently, it let the attackers steal £2.26 million.

Stating the technical details of the incident, the FCA notice reads,

The attackers most likely used an algorithm which generated authentic Tesco Bank debit card numbers and, using those “virtual cards”, they engaged in thousands of unauthorised debit card transactions.

Although Tesco Bank’s controls stopped almost 80% of the unauthorised transactions, the Cyber Attack affected 8,261 out of 131,000 Tesco Bank personal current accounts.

The attack allegedly started on November 5, 2016, the bank came to know about it on November 6, 2016.

Tesco Bank Fined Roughly $21 Million

Besides revealing the details of the incident, the FCA also fined Tesco Bank for £16.4 million (approx. $21.4 million) for failing to protect their customers. While the fine seems a hefty one, FCA clearly stated that a discount was applied in this fine owing to Tesco’s cooperation. As stated in their final notice,

Tesco Bank agreed to settle at an early stage of the Authority’s investigation and therefore qualified for a 30% (Stage 1) discount under the Authority’s executive settlement procedures. Were it not for this discount, the Authority would have imposed a financial penalty of £23,428,500 on Tesco Bank.

FCA has confirmed the fine on Tesco Bank in a media release published on Monday. Mark Steward, FCA’s Executive Director of Enforcement and Market Oversight, commented about the situation by saying,

The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.

Take your time to comment on this article.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients