Tesco Bank has been fined £16.4 million ($29.5 million) after it failed to address the threat of a cyber attack until the incident was already underway.
The fine was meted out by the UK’s Financial Conduct Authority (FCA) “for failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyber attack”.
The cyber attack took place in November 2016 and saw $4m taken from accounts over 48 hours.
It forced the bank to shut itself down for several days to prevent further losses.
The FCA said in a statement that attackers had “exploited deficiencies in Tesco Bank’s design of its debit card, its financial crime controls and in its financial crime operations team to carry out the attack.”
“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks,” executive director of enforcement and oversight Mark Steward said.
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started.
“This was too little, too late. Customers should not have been exposed to the risk at all.”
The FCA said Tesco Bank had since addressed deficiencies in its security posture and practices.
The bank had also “provided a high level of cooperation to the FCA” which, together with compensation paid out to customers, landed it a substantial discount on the fine.
The FCA said it had been shaping to fine Tesco Bank £33,562,400 ($60.5 million) otherwise.