40,000 Tesco Bank Accounts Accessed by Cyber Thieves


The U.K.'s Tesco Bank recently announced that some customers' accounts were illegally accessed last weekend, "in some cases resulting in money being withdrawn fraudently," according to bank chief executive Benny Higgins.

In response, the bank blocked access to online transactions on Sunday, November 6, and hasn't said when access will be restored.

BBC News reports that approximately 40,000 Tesco accounts saw suspicious activity, and 20,000 had funds stolen, though the bank isn't saying how much money was stolen in total.

"We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank," Higgins stated on Monday.

The Telegraph reports that Tesco could face a multi-million pound fine in response to the breach, noting that the U.K.'s Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) fined the Royal Bank of Scotland a combined £56 million two years ago following a computer system failure.

Though the bank's statement described the attack as "online criminal activity," no specific information was made available regarding how the breach took place.

Mark Wilson, director of product management at STEALTHbits Technologies, told eSecurity Planet by email that the big question is how the perpetrator was able to access so many accounts. "Internet banking utilizes multi-factor authentication," he said. "Were two-factor authentication tokens compromised? If so, that could cast a shadow across the whole online banking and finance sector."

"The average person on the street tends to be nervous about online banking and any form of digital transaction," Wilson added. "This breach will only enforce that concern."

In response, Shane Stevens, director of omni-channel identity and trust solutions at VASCO Data Security, said banks need to take a step back and reassess security at all levels. "A thorough assessment must be done to validate their current code and gaps so that they can put together a security game plan that will drive advanced protection against fraudsters in the marketplace," he said.

"Merely sharing security knowledge and communications from CEO to teller and from bank to bank is no longer making the cut," Stevens added. "It's time for executives to take action across all banks to drive a global convergence of intelligent security solutions, as customers and banks don’t know who to trust any more, and that's actually making it easier for cybercriminals to succeed."

RiskVision CEO Joe Fantuzzi said by email that the global and interconnected nature of most banking systems makes them particularly attractive to hackers. "If the recent SWIFT hack is any indication, national borders do little, if anything, to protect organizations that are linked around the globe," he said. "In fact, if anything, this kind of connectivity greatly expands threat vectors and increases risk."

"These days, it’s likely that vulnerable and inadequately secured organizations share the same communication channels and networks with multiple other financial institutions," Fantuzzi added. "Subsequently, banks will need to be even more vigilant going forward, placing more resources and energy into finding the critical vulnerabilities in their environment and addressing the ones that open up the door for attack."

A recent eSecurity Planet article examined seven best practices for database security.