Fraud Management & Cybercrime , Incident & Breach Response , Security Operations

Tesco Bank Confirms Massive Account Fraud

Bank Halts Online Transactions After Money Stolen From 20,000 Accounts
Tesco Bank Confirms Massive Account Fraud
Source: Tesco Bank

Scotland-based Tesco Bank has blocked all online transactions tied to customers' current accounts after money was stolen from 20,000 of those accounts and the bank detected suspicious activity involving another 20,000 accounts, according to CEO Benny Higgins.

See Also: OnDemand Webinar | Utilizing SIEM and MDR for Maximum Protection

"Tesco Bank can confirm that, over the weekend, some of its customers' current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently," Higgins wrote in an alert issued in the early hours of Nov. 7 to customers of the Edinburgh-based bank.

"We continue to work with the authorities and regulators to address the fraud and will keep our customers informed through regular updates on our website, Twitter and direct communication," he said. "We apologize for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers' accounts."

Tesco Bank, which is wholly owned by U.K. supermarket giant Tesco, said it first saw signs of fraud on the evening of Nov. 5. Some Tesco customers, taking to the bank's customer service website, have reported that their accounts were unexpectedly drained over the weekend. Others have reported difficulty in being able to connect with telephone-based Tesco call center staff.

Higgins told the BBC in a Nov. 7 interview that he was "very hopeful" that customers would receive full refunds within 24 hours.

"Any financial loss that results from this fraudulent activity will be borne by the bank," Higgins said. "Customers are not at financial risk."

Scant Details

Tesco said the fraud involved current - aka checking - accounts, which it first launched in June 2014.

Tesco has so far avoided referring to the incident as involving either a data breach or a hack attack. But security experts say that the breach likely involved a system-level compromise, although it's unclear if insiders, outsiders or both may have been involved.

"It is still unclear as to how the affected customer accounts were breached. Over 40,000 victims would be an extremely large number of victims for a phishing campaign so therefore, the breach may be within the bank's systems," says information security consultant Brian Honan, who advises the EU's law enforcement intelligence agency, Europol. "The breach is probably more likely to have come from external attackers using a weakness in the bank's online systems, or from someone within the bank, or indeed from one of the bank's vendors."

The scale of the attack appears to be unprecedented for a British bank. "I've not heard of an attack of this nature and scale on a U.K. bank where it appears that the bank's central system is the target," Alan Woodward, a University of Surrey computer science professor and cybersecurity consultant to Europol, told the BBC.

Honan, who also heads Ireland's computer emergency response team, says that the attack could have repercussions beyond just the bank's image. "The scale of the breach is worrying, and if it is released that the breach was due a vulnerability in the bank's online systems, it will lead to a lot of trust lost in Tesco Bank and indeed may impact people's confidence with the online systems of other banks."

Tesco Banks confirmed the breach in a notice on its homepage.

NCA Launches Investigation

The U.K.'s National Crime Agency says that it is leading the investigation into the incident. "We can confirm that we are coordinating the law enforcement response to the Tesco data breach," a spokesman for the NCA tells Information Security Media Group. The U.K.'s national fraud and cybercrime reporting center is also providing guidance to anyone who might have been affected.

Likewise, the U.K. Information Commissioner's Office says that it will review Tesco Bank's data security practices to ensure that it complied with the country's data protection and privacy laws. "The law requires organizations to have appropriate measures in place to keep people's personal data secure. Where there's a suggestion that hasn't happened, the ICO can investigate, and enforce if necessary," the ICO notes via Twitter.

Customers: Protected Up To £75,000

Following a five-year joint venture with NatWest, Tesco Bank was founded in 1997 by Tesco and the Royal Bank of Scotland, each of which owned half of the firm. In 2008, Tesco acquired RBS's share, making it a wholly owned subsidiary of Tesco, which is subject to the Financial Services Compensation Scheme. The scheme protects depositors, ensuring that they will be compensated for any losses suffered by authorized firms, up to £75,000 ($93,000).

Tesco Bank said that after detecting fraud over the weekend, as a "precautionary measure," it opted "to temporarily stop online transactions from current accounts." The bank has about 7.8 million customers for its various products - including credit cards and insurance products - including 140,000 customers who use its current accounts.

While customers cannot use debit cards tied to their current accounts for online transactions, they can still use them for chip-and-PIN transactions, the bank says. "All existing bill payments and direct debits will continue as normal," it adds. "We are working hard to resume normal service on current accounts as soon as possible."

Tesco Bank promised to issue new cards to affected customers within 10 days.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.