The financial watchdog has slapped a hefty £16.4m fine on Tesco Bank for a "largely avoidable" cyber attack that hit customers in 2016.
The Financial Conduct Authority (FCA) said the bank had failed to exercise "due skill, care and diligence in protecting its personal current account holders" in the breach, in which attackers gained £2.26m.
The FCA's executive director of enforcement and market oversight, Mark Steward, said Tesco did not heed earlier warnings about its vulnerability to a cyber attack and that its response was "too little, too late".
He added: "Customers should not have been exposed to the risk at all."
Cyber attackers were able to access customers accounts through deficiencies in the design of the bank's debit card, its financial crime controls and in its financial crime operations team.
Tesco said the attack did not involve the theft or loss of any customers' data, but led to 34 transactions where funds were debited from customers' accounts, and other customers having normal service disrupted.
Tesco Bank chief executive Gerry Mallon said: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice. We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”
The FCA said it reduced the fine applicable to Tesco Bank because it had chosen to co-operate with the regulator. Tesco Bank's response of compensating customers meant it avoided a fine of £33.5m.