Two years after the attack on Tesco Bank, which resulted in the online theft of 2.26 million pounds from 9.000 customers, the survey came out. Together with the statement was also announced the imposition of a fine on the bank (over 16.4 million) because it was unable to protect its clients.
The audits were carried out by the Financial Conduct Authority (FCA) and the concluded (PDF) that the bank should pay a fine of 16,4 million pounds because it failed to "exercise the necessary actions, and show the necessary care and diligence" to protect account holders from cyber attacks.
The identities of the hackers were not revealed, but according to the report published by the FCA they managed to gain more than £ 2 millions in 48 hours in November of 2016.
The attack began at 2:00 a.m. on Saturday, November 5, 2016, and by 04:00 a.m., Tesco Bank's fraud detection system had begun automatically sending text messages to holders of the bank's current accounts, urging them to be alert to "suspicious activity." »In their accounts. This is how the bank learned about the attack…
As calls grew rapidly, Tesco Bank's controls managed to stop almost 80% of unauthorized transactions. But the attack had already hit 8.261 from the 131.000 bank customers.
Attackers allegedly used an algorithm that created authentic Tesco Bank debit cards and using these virtual cards, thousands of unauthorized transactions were made.
FCA said the fact is due to the way Tesco Bank distributes the debit card numbers, but also to mistakes made in the reaction when they realized the attack. But the bad design of Tesco Bank's debit cards played an important role in finding security gaps.
According to the FCA, it took 21 hours after the attack to inform the security team of Tesco Bank. Throughout this period, illegal transactions continued.