Tesco Bank has been fined £16.4 million for the 2016 cyber attack

Font size


Tesco Bank has been fined over £16 million for the cyber attack that took place in 2016. The regulator, the FCA, says over £2.25 million was stolen by fraudsters.

Why has Tesco Bank been fined?

Tesco Bank has been fined £16.4 million by the financial regulator, the Financial Conduct Authority (FCA). It says that the accounts of over 8,000 people were affected. Tesco Bank wasn’t hacked, and hackers didn’t break into Tesco Bank’s systems. Instead, fraudsters exploited weaknesses in the design of Tesco Banks’ debit cards and its checking and authorisation system.

What went wrong at Tesco Bank

I’ve read the report from the FCA and it doesn’t make for pretty reading. It says that Tesco Bank failed in several ways:

  • The design and distribution of its debit card. This all gets a bit technical and some of it is beyond my understanding of debit cards. But what the FCA has said is that Tesco Bank started offering debit cards in 2014. It issued debit cards with random PANs (this is the long number on the front of your card) in batches of 50,000. So although it made sure it didn’t issue debit cards with sequential numbers, it didn’t issue new debit cards until the whole of the batch of 50,000 had been used up. And that meant that it was easier for fraudsters to work out the long numbers of debit cards.

SAVVY TIP: Not surprisingly, Tesco Bank doesn’t issue cards in this way anymore.

  • The checking of expiry date information. Astonishingly, Tesco Bank’s authorisation system wasn’t programmed to check for a debit card’s exact expiry date. It only checked that the expiry date was in the future (namely, after the transaction date).
  • The speed with which Tesco Bank responded to the fraud. The fraud started at 2 in the morning on Saturday November 5th 2016. Over 550 fraudulent transactions were submitted using genuine debit card PANs (long card numbers). This is a well-used tactic, where a fraudster will try a relatively low number of transactions and see whether they are rejected, before trying thousands of them. At 4 in the morning, Tesco Bank’s fraud detection system started sending automated texts to customers warning them about fraud. By 8 am, Tesco Bank’s out of hours call team noticed that more people were ringing about fraud than usual. One of Tesco Bank’s operations team emailed the fraud team. But the fraud team didn’t monitor emails over the weekend and they were supposed to be contacted by phone instead. A further email and incorrect phone number followed, and the fraud team weren’t alerted until 11pm on Saturday. This was 21 hours after the fraud attack started. By then, fraudsters had attempted 46,000 fraudulent transactions. Tesco Bank blocked only 74% of them.
  • The way Tesco Bank responded to the fraud. Early on Sunday morning, Tesco Bank’s fraud team identified that the fraudulent transactions were coming from Brazil. They put in place some IT coding so that these transactions would be rejected. But they didn’t check whether this new code actually stopped the fraud. It wasn’t until 3.35 on Monday morning that Tesco Bank’s fraud team put the right block in place to stop the fraud. By this time, fraudulent transactions had risen to 80,000. Tesco Bank was at least doing better in blocking them – it blocked 90% of them.
  • Banks were warned about fraudulent Visa card attacks coming from Brazil. Visa warned banks, including Tesco Bank, back in November 2015 about the kind of fraud that was carried out against Tesco Bank. As a result, Tesco Bank made changes to its credit cards, but not its debit cards. Visa sent an email to Tesco Bank (as part of a mailing to all member banks) in September 2016 warning that this type of fraud attack had been spotted in Brazil again. Tesco Bank’s fraud strategy team told the regulator they received the email but don’t remember doing anything as a result.
  • The poor communication and lack of capacity in its call centre. Tesco Bank sent two lots of texts early in the morning. Some on the morning of 5th November and some on the morning of 7th November. Some customers were – understandably – alarmed by these texts. When they rang the call centre, they often couldn’t get through. At one point, 90% of calls to its call centre were abandoned (basically, people got fed up of waiting).

What has Tesco Bank done?

Tesco Bank has made some major changes to its security procedures. It also refunded everyone who had money stolen from them or who lost out financially as a direct result of the cyber attack. In a statement issued today, Tesco Bank said: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice. We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”

Related articles:

Four banking frauds and scams to avoid – how to reduce the risks of being a fraud victim

Mobile banking; tips on how to bank safely

Fraud and bank refunds; what the rules say about when banks are supposed to refund your money.

SavvyWoman email newsletters: If you found this information useful why not sign up now to receive free fortnightly email newsletters with money saving tips and help? You can sign up at the top of any page on the website and your details won’t be passed to any other company for marketing purposes.