Throughout the weekend around 40,000 Tesco Bank accounts reported suspicious transactions and 20,000 of these had money taken.
This has lead to Tesco Bank halting online payments until the situation is under control.
Earlier, the bank confirmed some accounts “have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently”.
Many experts are suggesting this is a blatant cyber attack, although Tesco has yet to classify the breach as a hack.
The bank’s chief executive Benny Higgins told the BBC he was “very hopeful” customers would be refunded within 24 hours.
“Any financial loss that results from this fraudulent activity will be borne by the bank,” Mr Higgins said. “Customers are not at financial risk.”
Higgins also made clear on the BBC’s Today programme that customers will still be able to use their cards for cash withdrawals, chip and pin payments, and bill payments.
They can also use, according to Higgins, online banking, but can’t make online transactions until the situation is resolved.
Earlier, the bank confirmed some accounts “have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently” over the weekend.
“It was interesting,” said Thomas Fischer, threat researcher and security advocate at Digital Guardian, “that the malicious party chose to conduct the fraudulent transactions during the weekend.”
“Traditionally, organisations are under-staffed and are therefore slower to respond during these hours. Businesses should make sure they have the proper detection mechanisms and incident responses processes in place. If the business has a 24×7 operational remit, security processes should be applied systematically at all times of the day, every day of the week.”
Who is to blame and what are the consequences?
Currently the potential hacking group is unknown.
It is only matter of time, suggests Dan Panesar, VP EMEA at Certes Networks, before the finger of blame starts pointing.
“Working in a heavily regulated industry, Tesco Bank complies with every industry guideline and standard to ensure the safety of its customers’ data. The problem actually lies in the entire industry’s approach to cyber security.”
“There is an inherent flaw in the current ‘protect’, ‘detect’, ‘react’ model, as once a hacker bypasses a network’s outer perimeter they are free to move uninhibited across the network, accessing vast quantities of sensitive data and wreaking havoc.”
In terms of consequences, the Financial Conduct Authority says banks must refund unauthorised fraudulent payments immediately, unless they have evidence that the customer was at fault or the payment was more than 13 months ago.
Yet another warning sign with GDPR looming
When GDPR comes into effect in 2018 scenarios like the one Tesco is currently facing will be a living nightmare.
The need for a swift response is important in today’s regulatory environment. Post-GDPR it will be critical.
“With less than two years until the European Union General Data Protection Regulation (GDPR) comes into effect, businesses must learn from attacks and make changes now,” said Andre Stewart, VP EMEA at Netskope.
“A major part of ensuring GDPR compliance will involve getting to grips with reporting data breaches in a timely manner – as well as demonstrating that comprehensive and proportionate governance measures were implemented to protect customers’ data.”