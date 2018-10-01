TESCO BANK has agreed to hand over £16.4m to the Financial Conduct Authority (FCA) following a 2016 cyberattack on its systems.

The mega-attack, which occurred in November 2016, saw criminals access around 9,000 customers' savings, with some reporting that as much as £2,000 was syphoned from their accounts. The "unprecedented" incident forced Tesco to shut down online transactions for two days, and led to the company paying back around £2.5m to affected customers.

The FCA, which last week threatened Tesco Bank with a £30m fine, said in a statement on Monday that it's fining the company for "failing to exercise due skill, care and diligence in protecting its personal current account holders against a cyberattack."

The watchdog found that attackers were able to exploit deficiencies in the design of Tesco Bank's debit card, its financial crime controls and in its Financial Crime Operations Team to carry out the attack, adding that Tesco Bank also failed to respond to the incident with "sufficient rigour, skill and urgency."

At the time of the attack, Tesco Bank customers' complained that they were kept on hold for hours and received no communication from the company.

Mark Steward, executive director of Enforcement and Market Oversight at the FCA, said: "The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.

"In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all."

The FCA, which is also calling on Tesco to ensure that its "cyber-crime controls are designed to anticipate and reduce the risk of a successful attack", notes that the firm's defences have improved in light of the incident.

"It has made significant improvements both to enhance its financial crime systems and controls and the skills of the individuals who operate them," the watchdog said.

Tesco Bank chief executive Gerry Mallon added: "We are very sorry for the impact that this fraud attack had on our customers.

"Our priority is always the safety and security of our customers' accounts and we fully accept the FCA's notice.

"We have significantly enhanced our security measures to ensure that our customers' accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016."

At the time of the attack, a data protection lawyer, who asked not to be named, told the INQUIRER that Tesco, the supermarket chain that owns Tesco Bank, could have faced a fine of £1.9bn for the hack if it occurred under the EU's General Data Protection Regulations. µ