U.K.-based Tesco Bank is temporarily preventing customers from conducting online debit transactions after discovering suspicious financial activity on 40,000 financial accounts over the weekend. Of these impacted accounts, roughly half (or 20,000) experienced unauthorized withdrawals of money.
“We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank,” wrote Tesco Bank Chief Executive Benny Higgins in a corporate statement issued Monday. “This afternoon we began the process of refunding all customer current accounts that have been subjected to online criminal activity and we expect this process to be completed by the end of tomorrow.”
A division of retail giant Tesco PLC, Tesco Bank manages a total of 7.8 customer accounts. A separate spokesperson in Tesco Bank's press office today confirmed the number of affected accounts to SC Media, and reiterated that the company had already begun refunding stolen money.
The bank continues to permit card-based cash withdrawals, chip and PIN payments and existing bill payments and direct debits.
According to a BBC report, Higgins knows precisely how the perpetrators pulled off the cyberheist – calling it “a systemic, sophisticated attack” – but would not divulge the method so as not to interfere with an ongoing investigation.
Ben Gidley, director of technology at digital platform security provider Irdeto, theorized that the attack may have compromised certain customers' computers and mobile devices, rather than the bank network itself – considering that only a portion of accounts were breached. “If a hacker was able to gain access to the bank server then the attack could have been much more devastating,” Gidley explained in comments emailed to SC Media.
Gidley noted that the Tesco cyberattack underscores why web browser security is important to ensure secure banking. “Web browsers are inherently insecure as they are not hardened against attacks that come from a consumer's computer or local Wi-Fi,” said Gidley. “Whenever a browser communicates with a website, vulnerabilities specific to the browser can be exploited and the attacker can gain privileged access to customer data or, even worse, gain root privileges to back-end systems that can compromise operations,” Gidley continued.
Mark Wilson, director of product management at data security software company STEALTHbits Technologies, questioned if two-factor authentication tokens were compromised. “If so, that could cast a shadow across the whole online banking and finance sector. The average person on the street tends to be nervous about online banking and any form of digital transaction. This... will only enforce that concern,” said Wilson in remarks emailed to SC Media.
Wilson also floated the possibility of an insider threat, whereby a rogue employee stole customer details and moved them into an external repository. “If such account details are in the hands of an individual, it could be used for other purposes as well,” Wilson continued, noting that Tesco is not just a retail bank but also the largest grocery retailer in the U.K., with additional specializations in mobile telecommunications, Internet services, insurance, and credit services. “So unless Tesco segregates those platforms, it stands to reason that they may also be at risk – or perhaps already compromised.”
In his statement, Higgins said that the company is actively working with authorities and regulators. “We apologize for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers' accounts,” he wrote.
