Tesco Bank has confirmed that some of its customers’ current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently.
In a statement, chief executive Benny Higgins apologized for the “worry and inconvenience that this has caused for customers”, and stressed that it is taking every step to protect customer accounts.
“That is why, as a precautionary measure, we have taken the decision today to temporarily stop online transactions from current accounts,” he said. “This will only affect current account customers. While online transactions will not be available, current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments and direct debits will continue as normal.
“We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank, and we are working to refund accounts that have been subject to fraud as soon as possible.”
According to the BBC, up to 40,000 of Tesco's seven million accounts may have been impacted, although the company has yet to use the word "hacking" to describe the breach.
Ben Gidley, director of technology at Irdeto, said that while details on how the Tesco Bank hack occurred are not public quite yet, too often we see banks and other payment service providers treat security as a check box.
“This approach is not a strategy and if consumers are compromised they will blame the bank (and in this case, the supermarket that owns it),” he said. “Losing this brand trust by consumers often results in them looking to another banking organization that they trust to keep their sensitive financial and personal information secure.”
Andrew Bushby, UK director at Fidelis Cybersecurity, added: “What’s noteworthy about this particular breach is how it was handled over the weekend. While the customer service team at Tesco most likely did all it could to advise customers, it simply didn’t have enough resources to keep up with the flurry of concern both via phone and social media.
“Hackers can attack at any time, and enterprises need to be prepared for whenever they might hit. An advisory process needs to be designed beforehand and customer advisers need to be set up to answer questions from potentially affected customers. Having a plan of action like this will put the organization in control, consumers will trust that every precaution has been made to protect their finances, and distress will be minimized. It is no longer a test of whether a company can defend against fraud or a cyber-attack, the goal posts have moved, and it’s now a matter of how well they can respond.”
Javvad Malik, security advocate at AlienVault, said: “Online banking is generally safe enough and fit for purpose. There are improvements being made, with many banks deploying card-reader or one-time-password tokens to customers which are needed to logon or to pay a new account. I say safe enough, because there is compensation, insurance, and other coverage in place. So as long as customers are refunded their money, and the losses remain within the banking fraud appetite, it remains a viable business model.”