On 7 November, the English supermarket giant Tesco released an official press release announcing its online banking system had been compromised. Experts consider this attack to be one of the most severe to target the UK banking sector to date – but its origins are unknown.
Tens of thousands of victims
Last Saturday, attackers successfully stole £2.5 million (€2.8 million) from the current accounts of thousands of Tesco Bank clients. According to itv.com, 40,000 accounts were affected by “suspicious transactions”, and 20,000 accounts had money taken. The identity of the attackers is still unknown.
In a press release dated 7 November, Tesco Bank announced it had taken protective measures to safeguard accounts. Online transactions had been suspended, but customers were still able to withdraw cash, use cards in shops and pay bills by direct debit.
The bank’s director, Benny Higgins, reassured customers that fraudulent transactions would be refunded. According to the Financial Conduct Authority (FCA), which regulates financial services in the UK, banks must immediately refund unauthorised transactions unless the customer is at fault or the payment dates back over 13 months.
An unprecedented attack
The attack was a first for the financial sector. Banks face threats on a daily basis; however, Tesco Bank was forced to issue a public statement and take important steps to minimise the impact on customers.
Most attacks only target a few individuals and are generally due to customer negligence. Generalised issues leading to unauthorised transactions affecting thousands of accounts are rare.
Fraudsters regularly use techniques such as phishing, spamming and the theft of passwords or bank data to access the accounts of potential victims. However, attacks that systematically target such a large number of accounts are much less common. For this reason, the attack would appear to be more sophisticated than most. Speaking to the BBC, Professor Alan Woodward, a security consultant who has worked with Europol, said, “I’ve not heard of an attack of this nature and scale on a UK bank where it appears that the bank’s central system is the target.”
Was Tesco Bank hacked?
Tesco Bank has avoided describing the attack as a “hack” but has stated that an initial investigation revealed exactly what happened. A criminal investigation is currently underway, meaning that no further information can be released. Consequently, we can only speculate as to the seriousness and extent of the breach. As mentioned by the BBC, the fact that Tesco Bank has allowed its customers to continue using their bank cards at ATMs and shops indicates that the bank’s core systems were not affected. The number of potential victims and the suspension of online transactions suggests a problem with Tesco’s website.
Can banks prevent these problems? Most cybersecurity experts say no. While ensuring the security of IT systems is an absolute necessity, it is difficult to check the reliability of all third parties, suppliers and sub-contractors. In Tesco’s case, a third party with connections to the bank could have had a security issue, which attackers quickly exploited. The breach could also be the result of maintenance or updates introducing system faults.
In any event, it is likely that attackers continually scan businesses’ IT systems looking for weaknesses or faults to exploit. This confirms the views of specialists, who are continually seeking to raise awareness of these risks.