A ‘LARGELY avoidable’ cyberattack that netted hackers £2.26 million two years ago has led to the City watchdog imposing a fine of £16.4m on Tesco Bank.

The Financial Conduct Authority (FCA) said the bank had failed to “exercise due skill, care and diligence in protecting its personal current account holders against a cyberattack”.

Attackers took advantage of “deficiencies” in the design of Tesco Bank’s debit card, said the regulator, as well as its financial crime controls and its financial crime operations team to carry out the hack. It left customers vulnerable to what the FCA said was a “largely avoidable incident” over a 48-hour period in November 2016.

Mark Steward, the FCA’s executive director of enforcement and market oversight, said: “The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks. In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all. Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.

“The standard is one of resilience, reducing the risk of a successful cyberattack occurring in the first place, not only reacting to an attack. Subsequently, Tesco Bank has strengthened its controls with the object of preventing this type of incident from being repeated.”

Following the attack, the bank immediately put in place a “comprehensive redress” programme and devoted significant resources to improving the deficiencies which had left it vulnerable.

Had Tesco Bank not provided a high level of co-operation to the FCA and agreed to an early settlement, the FCA said it would have fined it £33.56m.

Gerry Mallon, Tesco Bank’s chief executive, said: “We are very sorry for the impact that this fraud attack had on our customers. Our priority is always the safety and security of our customers’ accounts and we fully accept the FCA’s notice.

“We have significantly enhanced our security measures to ensure that our customers’ accounts have the highest levels of protection. I apologise to our customers for the inconvenience caused in 2016.”