back to article Financial Conduct Authority fines Tesco Bank £16.4m over 2016 security breach

The Financial Conduct Authority (FCA) has slapped a £16.4m fine on Tesco Bank for the security vulnerabilities that led to millions of pounds being pilfered from thousands of customers’ online accounts two years ago. As revealed by us at the time, Tesco called on the National Cyber Security Centre to probe the 5 November 2016 …

  1. Anonymous Coward
    Anonymous Coward


    I was going to suggest BOGOF but they're already ahead with 60% discount, what about 3 for 2 offer? :-)

  2. HmmmYes


    Id hate to be holding equity in a bank thats has mesed up after, say, 2016.

    Just as well as all the UK banks are totally robust and haven't spent he last 6 months in various states of fuckup.

    ~32m, reduced to 16m for cooperating.

    Id be putting those number int othe outsourcing cost saving spreadsheet.

    1. Spazturtle

      UK banks will be fine, their online banking systems can't get hacked if they are continually down.

      1. katrinab Silver badge

        It wasn't the online banking system that was hacked though.

        They found a way to create valid magnetic strip cards and used them to steal the money.

  3. Pascal Monett Silver badge

    A 30% discount just for cooperating

    What the frak ? Isn't cooperation supposed to be MANDATORY ?

    If you don't cooperate, multiply the potential fine by 2, I say.

  4. sitta_europea

    And _still_ no DNSSEC, and the SPF record (never mind it includes ends with "~all".

    I know, I know, you've heard it before.

    1. Spazturtle

      You know what and have in common? Both still haven't configured a DNS CAA record.

    2. allan wallace


      Feel free to hide this post until you have resolved the issues with your DNS records.

      On the subject of SPF: doesn't have SPF, DOES have DMARC.(nothing about strictness of aspf or adkim...) DOES NOT have PCI DSS compliant MX

      - thought this was a requirement for a bank?... DOES have SPF - but it's broken: "too many DNS lookups" and two a: mechanisms that point to FQDNs that don't have any A records.... DOES NOT have PCI DSS compliant MX DOES NOT have DMARC DOES NOT have DMARC or SPF has a good guide about the 10 dns lookup limit

      - near the bit about reducing the risk of DOS attacks.

      To fix TheRegister's SPF record, remove the following:


      (you don't need this! - your mx are google and you .......)

      (no a record published in DNS)

      (no a record published in DNS)

      You could simply use "a" if you wanted to allow future domains without having to publish each individual one, but please remember:


      KEEP -all on the end, it's a good bit.

      Have you considered DMARC, DKIM, DNSSEC and DANE?

      Would you like a quote?....

      - one of my favourites is "lobbest thou thy Holy Hand Grenade"


      TheRegister's password reset page allows the enumeration of registered email addresses (different message given if email address is not registered....)

      - you might want to take a closer look at this too, I think it was a DPA issue, and I'm pretty sure GDPR could say similar.

      1. Mark 85 Silver badge

        I hope you emailed the editor on this.

  5. Anonymous Coward
    Anonymous Coward

    It'll all be Clawed-back from Executive Salary

    In my imagination... Loved this part: "Tesco Bank’s *Financial-Crime-Operations-Team* emailed the fraud strategy inbox rather than phoning the on-call *Fraud-Strategy-Team* - as internal regs required". WTF? Is this the Judean People's Front vs People's Front of Judea - Splitters!

    1. tfewster

      Re: It'll all be Clawed-back from Executive Salary

      Presumably an *ANTI Financial-Crime-Operations-Team* and an *ANTI Fraud-Strategy-Team*?

      Still, if you saw a robbery in progress, would you ring the police or write to your MP?

  6. Anonymous Coward
    Anonymous Coward

    Imagine the clubcard points with that

  7. sanmigueelbeer Silver badge

    Reading from different sources about this subject, I find it "strange" (to say the least) about how UK-based financial organization understand the concept of IT Security. It reminds me of several scenes from Fawlty Towers. In one article, it is stated that "One of these involved the PAN numbers - the 16 digit card number sequence used to identify all debit cards. Tesco Bank inadvertently issued debit cards with sequential PAN numbers."

    "squential numbers". Oh, this is not just "stupid". This is just "asking for it" and is very much like building a house but without a roof or door.

    I do hope that the person who thought of this got a promotion.

  8. Anonymous Coward
    Anonymous Coward

    but... but...

    they said they employ robust, world-leading technologies to ENSURE the safety of the deposits, right?! And then, when I called their customer support, they said, quote, "we provide robust, world-leading technologies to ENSURE the safety of your deposits". And when I was still unsure, they said, "AS I WAS SAYIN, WE. EMPLOY. ROBUST. WORLD-LEADING. TECHNOLOGIES. TO ENSURE. THE SAFETY. OF. YOUR. DEPOSITS!"

    And they call themselves a "Bank", right? So, like, how come they got hacked, eh?!

  9. EnviableOne Silver badge

    thats not the worst of it

    the whole CNP system is ripe for this sort of attack

    no transaction rate limiting, no same origin tracking

    specific detail failiure messages .... (wrong card no, wrong cvv, wrong expiry)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022