Regulators Consider Record-Breaking £30m Fine For Tesco Bank Hack

Tesco’s banking arm may face a record fine from the UK’s financial regulator over a 2016 cyberattack that led to customer losses of £2.5 million and was considered a first at the time.

The Financial Conduct Authority (FCA) is considering a fine of up to £30m, according to multiple reports citing persons familiar with the matter.

Tesco Bank is understood to be in negotiations with the FCA to reduce the fine substantially, and is reportedly hoping a fine of less than £20m will finally be agreed upon.

In November 2016 Tesco Bank was forced to suspend all online transactions after it found that criminals were trying to access customers’ accounts.

Massive fine

The bank revised an initial estimate that 40,000 customers had been affected down to 20,000 and subsequently to 9,000.

Reports indicate that since that time the bank has further revised the figure to fewer than 50 customers, all of whose losses were refunded within days. No customer data was compromised, Tesco Bank has said.

The relatively small number of customers affected adds shock value to the size of the proposed fine, which was first disclosed by Sky News.

The proportion of the fine  would appear to suggest penalties in the hundreds of millions or billions of pounds for a large-scale incident.

The Information Commissioner’s Office (ICO), by contrast, last week fined Equifax a relatively modest £500,000 for exposing the personal data of millions of British individuals to hackers.

That fine, however, was for data losses, and not financial theft, and moreover was the maximum allowed under the data protection laws in place when the hack occurred last year.

‘Unprecedented’

The GDPR, which came into force in May, has since instituted much more substantial penalties. The FCA’s investigation into the Equifax breach continues.

At the time of the Tesco Bank hack the FCA described it as “unprecedented in the UK”, while experts said it was the first mass account breach at a western bank.

Data breaches and online banking outages are coming under increasing scrutiny as customers rely increasingly on digital services.

Last week customers at banks including Barclays and Royal Bank of Scotland’s NatWest were locked out of online accounts by technical failures.

The FCA has not yet imposed a substantial penalty for a cyber-theft. It imposed a £42m penalty against RBS in 2014, but that fine was for an IT outage.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

2 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

4 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

4 hours ago