The serious security breach is being hailed as an unprecedented attack. Tesco has revealed little about the nature of the fraud, describing it as “online criminal activity.” It has not stated whether the funds were stolen using an external hack or if the attackers gained physical access to a machine.
The incident is unique because the money was taken by an automatic process. The majority of banking attacks revolve around unwitting customers clicking links in phishing emails and being scammed into giving up money. Tesco’s customers knew nothing of the breach until they found their balances reduced this morning.
Tesco said it observed suspicious activity on around 40,000 accounts over the weekend. It confirmed that funds were then taken from around half of them. The company stressed that relatively small amounts of money were stolen from each customer. Most people appear to have lost £500 to £700.
Benny Higgins, Tesco Bank’s chief executive, pledged that stolen funds would be repaid in full by the bank. “We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank, and we are working to refund accounts that have been subject to fraud as soon as possible.”
Customers have criticised Tesco for its response to the breach. The company’s customer service helplines have been inundated with requests for support, leaving people unable to reach an operator. Some customers have reported being left with less than ten pounds in their account. Tesco has been telling customers it could take up to two days to get the funds restored.
One customer said they were offered £25 cash as “a goodwill gesture” but were told no emergency funds were available. “I’ve got food and petrol to pay for. I have a delivery of coal coming tomorrow for our coal-fired heater and I won’t be able to play,” Alan Baxter, of Berwick-upon-Tweed, said to the BBC.
Tesco said it is working with the relevant authorities in the wake of the attack to deal with the fraud. The company has yet to establish how the crime took place. Some experts have speculated it’s unlikely to be an external “hack.” Instead, the funds were probably stolen from within Tesco’s own systems. It could be a privileged Tesco employee or somebody an employee’s unwittingly shared sensitive credentials with.
However, Tesco’s suspension of online transactions points the finger at problems in its website. It could be that a recent site update or the introduction of a new bug gave cybercriminals a chance to obtain access to the databases behind. Tesco is conducting an investigation into the circumstances surrounding the breach.
The U.K.’s Financial Conduct Authority is currently monitoring Tesco Bank’s handling of the situation to ensure the money is returned to customer accounts. Tesco has notified the National Crime Agency, initiating a coordinated fraud response involving multiple law enforcement agencies.
“We continue to work with the authorities and regulators to address the fraud and will keep our customers informed through regular updates on our website, Twitter and direct communication,” said Higgins.
