The Financial Conduct Authority (‘FCA’) announced, on 1 October 2018, that it had fined Tesco Personal Finance plc (‘Tesco Bank’) £16.4 million for breaching Principle 2 of the FCA Handbook, by failing to conduct its business with due skill, care and diligence, following a cyber attack that took place in 2016. In particular, the FCA noted that although Tesco Bank’s controls prevented almost 80% of the unauthorised transactions, the cyber attack affected 8,261 out of 131,000 Tesco Bank personal current accounts.
According to the FCA, the attack was initiated on 5 November 2016, when the attackers transmitted 579 fraudulent transactions using authentic Tesco Bank debit card permanent account numbers (‘PANs’). During the cyber attack, Tesco Bank’s fraud detection system picked up the unusual activity and started sending automatic text messages to personal current account holders while the fraudulent transaction attempts continued to increase. The Fraud Strategy Team of Tesco Bank determined that the majority of the suspicious transactions originated in Brazil, however, it failed to limit the attacks due to a mistake in the code. Ultimately, external fraud experts concluded that Tesco Bank had configured the authorisation system at a customer account level rather than at the individual debit card level, however, Tesco Bank implemented a block which stopped the flow of fraudulent transactions.
Moreover, according to the FCA, Tesco Bank did not take appropriate action to prevent the foreseeable risk of fraud
The FCA found that Tesco Bank had failed to design and distribute the debit card correctly as its debit cards were not intended to be used for contactless magnetic stripe transactions, nevertheless card users could still use that payment method. In addition, the FCA outlined that Tesco Bank had inadvertently issued debit cards with sequential PANs, thus increasing the likelihood that the attackers would find the next PAN in the sequence and had failed to configure specific authentication rules as they were programmed to check whether the debit card expired on a date in the future instead of an exact date and month. The FCA also held that Tesco Bank had failed to configure fraud detection rules by conducting the analysis at account level instead of card level.
Moreover, according to the FCA, Tesco Bank did not take appropriate action to prevent the foreseeable risk of fraud, following a warning from Visa Inc. about fraudulent Point of System 91 transactions occurring in Brazil and the US. In response to this, Tesco Bank blocked such transactions for its credit cards, but did not make parallel changes to its debit cards leading to the events that resulted in the cyber attack. Finally, the FCA found that Tesco Bank did not respond to the cyber attack “with sufficient rigour, skill and urgency” and held that it had failed to follow procedures, including crisis management.
The FCA noted that Tesco Bank cooperated in the investigation and implemented a comprehensive redress programme which fully compensated customers. Accordingly, the FCA granted Tesco Bank 30% credit for mitigation and agreed to an early settlement, reducing the fine that would have otherwise amounted to £33,562,400.
NIKOS PAPAGEORGIOU Privacy Analyst