The Financial Conduct Authority has fined Tesco (LON: TSCO) £16.4 million over the cyber-attack that took place in 2016.
The FCA said that the supermarket had failed to execute proper skills, care and diligence when protecting the personal current account holders.
Mark Steward, the executive director of enforcement and market oversight at the FCA, said: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.”
“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all.”
“Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.”
“The standard is one of resilience, reducing the risk of a successful cyber-attack occurring in the first place, not only reacting to an attack,” he added.
The FCA said that if the supermarket giant did not co-operate as much as it did, the fine would have been £33.56 million.
Whilst the hack did not lead to the theft or loss of any customers’ data, there were 34 transactions where funds were taken from customers’ accounts. All of the money has been refunded into customer accounts.
The hackers got away with £2.26 million.
The Tesco Bank chief executive, Gerry Mallon, said: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.”
“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”