Tesco Bank Cyber Attack Leads to $21 Million Settlement in U.K.

(Bloomberg) -- The U.K. financial regulator fined Tesco Plc’s banking arm 16.4 million pounds ($21 million) for failures that allowed cyber attackers to steal funds.

The 48-hour hack in November 2016 was “largely avoidable” and took place because the thieves took advantage of weaknesses in the design of the bank’s debit card, its financial-crime controls and its so-called Financial Crime Operations Team, netting the criminals 2.3 million pounds, the Financial Conduct Authority said Monday in a statement.

“The attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started,” said Mark Steward, FCA executive director of enforcement and market oversight. “This was too little, too late. Customers should not have been exposed to the risk at all.”

Tesco Bank immediately tried to remedy the problems and provide redress, devoting significant resources to the problems, the FCA said. It also cooperated with the regulator, receiving a 30 percent credit for mitigation and qualified for a discount because it agreed to settle the matter early, the FCA said.

Tesco Bank Chief Executive Officer Gerry Mallon apologized for the inconvenience caused to customers.

“We are very sorry for the impact that this fraud attack had on our customers,” Mallon said. “Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice. We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection.”

Tesco shares were little changed at 239.30 pence at 9:42 a.m. in London. They’ve risen 14 percent this year.

©2018 Bloomberg L.P.