Tesco Bank Cyber Attack: How 9,000 Accounts Were Drained and the £16.4M FCA Fine That Followed

What Happened: The Attack Sequence

The November 2016 attack exploited vulnerabilities in Tesco Bank's debit card system that the FCA subsequently determined should have been identified and remediated. The key events:

• Saturday 5 November: Attackers initiated fraudulent transactions across 9,000 accounts, predominantly using contactless and online payment channels
• The transactions appeared in the bank's systems during Saturday night — but monitoring and response were inadequate to detect the pattern at scale in real time
• By Sunday morning, £2.26M had been drained. Tesco Bank halted online transactions for all 136,000 current account holders — affecting innocent customers for days
• The FCA investigation revealed the attack used a vulnerability in the bank's algorithm for generating debit card numbers that had been previously flagged but not remediated
• The vulnerability was not new — similar attacks had been seen in other markets. Tesco Bank had not assessed whether the same attack methodology applied to its own card system

Why the FCA Fined Tesco Bank

The FCA's Final Notice (October 2018) made clear that the fine was not for suffering a cyber attack — attacks are foreseeable in financial services. The FCA found that Tesco Bank:

• Failed to exercise due skill, care and diligence in the design of its debit card algorithm — the vulnerability that attackers exploited was an identifiable weakness
• Had inadequate fraud detection systems that failed to identify and block the pattern of fraudulent transactions as they occurred at scale overnight
• Failed to implement adequate controls that would have detected and limited the fraud in real time rather than only after significant losses had accumulated
• Took too long to respond once the fraud was identified — the response delay increased losses and customer impact
• FCA Principle 2 (due skill, care and diligence) and FCA Principle 6 (treating customers fairly) were both violated

The Regulatory Precedent: What Every Firm Must Understand

The Tesco Bank case established several principles that the FCA has applied consistently since 2018. First, foreseeable attack vectors that are not mitigated are a regulatory failure, not just a technical gap. Second, incident detection capability — real-time monitoring of transaction patterns — is an expected control, not an optional enhancement. Third, the speed of incident response is assessed: firms that detect an incident hours after it begins and respond slowly face additional regulatory sanction. Fourth, the FCA takes the view that firms serving retail customers must implement controls that protect those customers from foreseeable fraud. The bank bears this obligation even when the fraud is technically sophisticated.

What Controls Would Have Prevented or Limited the Attack

With the benefit of the FCA's investigation, several controls emerge as directly relevant to preventing or limiting the Tesco Bank attack:

• Card algorithm security review: Independent assessment of debit card number generation for known attack patterns — a specific control that Tesco Bank did not have in place
• Real-time transaction monitoring: Anomaly detection across all accounts capable of identifying a coordinated attack pattern overnight — not just individual transaction fraud alerts
• Velocity rules: Automated blocks on abnormal transaction patterns per account and across the portfolio — preventing mass drainage before losses accumulate
• Incident response testing: Tested escalation procedures for overnight and weekend incidents — Tesco Bank's response was slow partly due to gaps in out-of-hours escalation
• Threat intelligence: Awareness of similar attacks in other markets — the attack methodology was not novel; it had been seen elsewhere and should have been on Tesco Bank's radar

The Lessons for FCA-Regulated Firms in 2025

Seven years on, the Tesco Bank case is more relevant than ever. The FCA's operational resilience framework (PS21/3) now requires all regulated firms to identify important business services and set impact tolerances — explicitly including protection of retail customers from financial harm. Any firm that processes client payments, holds client money, or operates client accounts must be able to answer: what would happen if our payment systems were attacked overnight? Do we have real-time monitoring? Would we detect it in minutes or hours? What is our escalation procedure at 2am on a Saturday? The FCA expects these questions to have tested, documented answers.

Frequently Asked Questions