As we digest the news of the Tesco Bank attack, there is little in the way of hard facts to work with, but one thing can be certain: Tesco Bank was not prepared to deal with the scale of the attack from a customer service point of view.
Around 40,000 customers – from what we have been told – have been affected, many of whom have taken to social media to complain that Tesco's incident response simply hasn't been quick enough.
Customers believe that Tesco Bank, as a large organisation, should be able to respond more quickly to a hack attack involving 40,000 customers.
Under UK banking regulations, customers are entitled to a full refund of any losses plus any resulting banking charges and overdraft fees they may incur, but dealing with so many fraudulent transactions is going to take time.
Tesco has reportedly promised some customers a response within 48 hours, but it's difficult to see how it can possibly resolve so many cases in such a short time.
In the meantime, customers are going to become angrier as their anxiety grows.
The BBC quoted Alan Baxter from Berwick-upon-Tweed who said £600 was taken from his account, leaving him with just £21.88 in the bank. "I've got food and petrol to pay for. I have a delivery of coal coming tomorrow for our coal-fired heater and I won't be able to pay,” he said.
The bank offered him just £25 in emergency money as a goodwill gesture.
Another customer who had just £2 left in his account said he finally got through to customer service only to be told that it would be 48 hours before it was sorted out because “there had been a lot of transactions on my account that could not be linked to me or my wife”. This may indicate that the attackers have made lots of small transactions to cover their tracks, which will only make it more difficult for Tesco Bank to resolve.
Apparently some customers are already threatening to move their accounts, not so much because of the fear of the bank being hacked, but because of the way they were treated by the Bank.
One can imagine the scene at Tesco right now, as customer service teams try to field calls from tens of thousands of concerned customers while the security team works with the National Crime Agency to track the source of the attack and the accountants try to tease out the fraudulent transactions from the genuine ones to work out how much customers are entitled to in refunds.
It would be difficult enough dealing with a couple hundred cases – multiply that 200-fold and you begin to appreciate the scale of the problem.
But one must ask the question: where was Tesco Bank's contingency plan for dealing with a hack on this scale? Surely in the scenario planning for a possible attacks, this situation must have come up. Or did they simply dismiss it?
When drawing up future cyber-attack planning scenarios, all companies, including smaller concerns, will need to take customer response into account.
