Over the first weekend of November 2016, Tesco Bank saw its systems hacked into, with a reported 40,000 fraudulent transactions taking place.
Chief Executive of Tesco Bank, Benny Higgins, blamed “a systematic, sophisticated attack” for the money fraudulently taken from customer’s bank accounts.
Tesco were quick to confirm that fewer than half of the 40,000 accounts had funds withdrawn, and that the amounts taken from customers were ‘relatively small’. From the bank’s point of view, this was positive news – but the same couldn’t be said for customers who had hundreds – or on some occasions even thousands – of pounds swiped from their accounts.
While the incident was initially being investigated, the bank temporarily stopped their customers from being able to make online payments, but could use their cards in-store and at cash points.
Tesco reassured customers that all money would be refunded as a matter of urgency. The bank were true to their word, with £2.5m refunded to the 9,000 hacked customers by the end of Tuesday 8th November. Higgins told the BBC, “we’ve now refunded all customer accounts by fraud and lifted the suspension of online debit transactions so that customers can use their accounts as normal.”
He continued, “we’d also like to reassure our customers that none of their personal data has been compromised. We’d again like to apologise for the worry and inconvenience this issue has caused.”
It’s been reported that Tesco could subsequently be hit with a multi-million pound fine by City regulators in the wake of the breach. Should regulators find that failures in the bank’s systems and controls contributed to the cyber-attack, the lender could be hit with a damaging financial penalty – on top of the cost of refunding customers and any other necessary compensation.
Cyber-security experts confirmed that the scale of this attack was unheard of in UK banking, as David Emm, a senior researcher at security software firm Kaspersky, confirmed, “this is the biggest incident that I can think of in banking terms. I can’t think of banking activity being suspended before.”
Although the attack has been quickly resolved by the bank, it’s proof that any business can be the target of a cyber attacker. It’s imperative that organisations stay alert and one step ahead of the criminals, whose sole aim is to steal sensitive data and funds.