Security Experts:

20,000 Lose Money in Tesco Bank Hack

Tesco Bank, wholly owned by the UK's largest supermarket chain Tesco, has admitted the "some of its customers' current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently." Nothing more specific about the fraud has been made known, although some reports suggest as many as 20,000 customers may have lost money.

Benny Higgins, the bank's chief executive, said 40,000 of current accounts had experienced suspicious transactions and about half had money taken from their account. Tesco Bank has now blocked all on-line transactions, although customers can still use their bank card for cash withdrawals and purchases within shops. The bank has just under 8 million customers and around $10 billion in saving deposits. The thefts were from among its 136,000 current accounts.

Tesco Bank in UK: Image Credit: Tesco BankHiggins believes that relatively small amounts will have been stolen from individual accounts, but that the details are not yet clear. Small amounts would be compatible with attempts to avoid triggering the bank's fraud detection alerts; but with 20,000 successful withdrawals and another 20,000 potentially blocked, the indication is that the criminals operated very quickly to steal as much as possible before the bank blocked all online transactions. They also timed their activity for a weekend, when fewer bank staff would be working.

Customers are reporting on social media individual thefts of £600 and £700. One report quotes a customer complaint: "Spoke to Tesco after 1 hour 20 minutes on hold, like others, just waiting for a call back and no sign of my £2,400 today. I'm taking the day off work, I can't go in feeling as low as this."

The bank has stressed that all stolen money will be refunded to customers. "Any financial loss that results from this fraudulent activity will be borne by the bank," Higgins told BBC radio. "Customers are not at financial risk." He believes the cost to the bank will be 'a big number but not a huge number'.

Customers are, however, far from happy with Tesco's customer support. Although the bank has reacted swiftly to block any further losses, customers are finding it difficult to learn anything individually. Many have taken to social media complaining about receiving texts urging them to phone a customer support number only to remain on hold for hours at a time. It would seem that Tesco's incident response plans for minimizing loss were better prepared than its incident response for customer care.

"We are now in dialogue with the National Crime Agency. We are working closely with them. We are also in close contact with the Financial Conduct Authority," Higgins told BBC Radio. The bank will also be in touch with the UK's data protection regulator, the Information Commissioner's Office (ICO). The ICO will investigate whether it thinks Tesco's internal security was adequate. It recently fined TalkTalk £400,000 for failing to adequately protect its customers' personal data.

For now, nothing is publicly known about how the breach was effected. Ilia Kolochenko, CEO and founder of High-Tech Bridge, commented: "The situation is not clear yet, and it's too early to make any conclusions about the origins and the source of the breach. In the past, similar incidents involved many different approaches: from e-banking system compromise to targeted spear-phishing and social engineering campaigns aimed at infecting bank clients' machines or mobile devices with sophisticated malware, stealing money from their accounts. A massive skimming campaign cannot be excluded either."

He does not believe that an actual hack could be achieved without some inside help. "Banking system, compliance processes and fraud-prevention systems are usually bank-specific, and in order to bypass them (we can speak about successful bypass, as so many people have already lost their money) there would need to have some insider knowledge."

Ed Macnair, CEO of CensorNet, takes a similar view, although he thinks the 'inside help' could be accidental. "People are the weakest link for most organizations," he said, "and I would not be at all surprised if that's the case here. It's pretty hard to remotely hack into a network without some sort of assistance - which is often provided accidentally. People tend to do stupid things, like reusing passwords or clicking on random links, giving hackers the access they need."

It is believed that this is the first acknowledged hack of a British bank leading to large scale losses. Tesco shares fell by 1.28% to 199.90 pence on the news, while London shares generally rose 1.3%.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.