Customers of the UK's Tesco Bank are likely to have their confidence rattled after it is confirmed that tens of thousands of accounts were raided by hackers this weekend.
The Guardian reports:
Tesco Bank has frozen online transactions after customers were affected by fraudulent activity and pledged to refund those who had money taken from their accounts over the weekend.
Benny Higgins, chief executive of the supermarket chain’s banking arm, said the decision to stop online transactions was an attempt to protect customers. He said 40,000 accounts had been affected, half of which had had money withdrawn in what he described as "online criminal activity".
If you visit the Tesco Bank website you'll see a statement to concerned customers from Higgins:
Although Tesco Bank hasn't shared details of precisely what happened, the scale of the fraud (some 20,000 accounts being plundered) indicates that this wasn't a conventional attack against individual bank accounts, where victim's PCs are typically compromised and login credentials stolen.
Instead the attack's size suggests that there was a serious security vulnerability in Tesco Bank's online systems, that allowed fraudsters to gain access and move money out of accounts without having to go through all the usual authentication checks.
That's the nightmare scenario for an online bank, and there will inevitably be customers who are deeply concerned about what has happened - even if the bank has promised to refund anyone who has had money stolen from them over the weekend.
Some victims report that they have had as much as £600 stolen from their Tesco Bank accounts by the hackers over the weekend.
It's possible that the thieves resisted the urge to completely empty accounts in an attempt to reduce the chances of triggering alerts inside the bank that unusual transactions were taking place. I wonder if the timing of the attack - over the weekend - was also deliberately chosen by the online criminals.
Tesco Bank will need to work hard and quickly to rebuild the confidence of its customers, or find some of them choosing to jump ship. The best approach is for the bank to be as transparent as possible about what has occurred - as customers will be demanding answers.
Of course, it may take some time for the bank to confirm precisely how the crooks broke in, and to be certain that it cannot ever happen again.
Meanwhile, we can expect the Tesco Bank and the National Crime Agency to be taking a keen interest into where the stolen funds were moved, if there might have been some assistance from a rogue insider, and whether there is any prospect of either having some of the money returned or identifying the culprits.