This weekend many Tesco Bank customers were in for a shock when they checked their balances. Although it is unclear at present exactly what happened (Tesco is being very coy over referring to the incident as a “hacking” attack), around 40,000 bank accounts exhibited suspicious behavior over a 24-hour period. Around half of these have been the victim of some kind of cyber theft, with cash stolen from the account.
Tesco has now halted online payments, admitting that it has “been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently.”
Alan Woodward is a cyber security expert professor at the University of Surrey. He told the BBC that this incident could represent an “unprecedented breach” of banking cyber-security in the UK,
“I’ve not heard of an attack of this nature and scale on a UK bank where it appears that the bank’s central system is the target.”
Amounts missing from customers’ accounts appear to range from as little as £20 to thousands of pounds. As one customer complained,
“Spoke to Tesco after 1 hour 20 minutes on hold, like others, just waiting for a call back and no sign of my £2,400 today. I’m taking the day off work, I can’t go in feeling as low as this.”
Another victim explained that after £600 was fraudulently withdrawn from his account, he was left with just £21.88 in the bank,
“Tesco said they couldn’t offer me emergency funds but would offer £25 as a goodwill gesture. I’ve got food and petrol to pay for. I have a delivery of coal coming tomorrow for our coal-fired heater and I won’t be able to pay.”
Tesco share prices took a sharp drop this morning, and at time of writing remain some 2% down from closing yesterday.
Tesco Bank chief executive Benny Higgins told the BBC he was “very hopeful” that customers would be refunded within 24 hours. He also apologized for any “worry and inconvenience” the incident may have caused.
Higgins was keen to reassure customers that they will not find themselves out of pocket,
“Any financial loss that results from this fraudulent activity will be borne by the bank.”
This is in accordance with UK law, which requires banks to refund customers for any unauthorized payments, unless the bank can present evidence that the customer was at fault. Banks are not required to offer a refund for payments over 13 months old, however.
Although all online transactions have been halted by Tesco Bank, customers can still:
- Withdraw cash from cash machines
- Make chip and pin payments
- Pay bills
What Can You Do to Protect Yourself from Cyber Theft?
Until Tesco divulges exactly what happened, it is impossible to know how customers could have protected themselves from this attack. It could even have been an “inside job,” in which case there is very little they could have done anyway.
In general, the following precautions can help prevent your bank account from becoming compromised:
- Use good antivirus software and always keep it up-to-date. Note that it is not just Windows machines that are vulnerable to malware. Mac, Linux and Android devices can also become infected, and should be protected with good antivirus and anti-malware software. The same should go for iOS users, but in its wisdom, Apple has buried its head in the sand and removed all antivirus apps from the app store.
- Beware phishing scams! Your bank will never send you an email asking you to confirm your account details. If there is an issue, never follow a link that is sent to you. Visit the website via its regular URL and log in to your account from there.
- Keep a sharp eye out for anything that looks suspicious when using a cash machine. Card skimmers are designed to look like part of the machine, but read your bank card details and send them to criminals.
- Use strong and difficult-to-guess passwords.
- Use two-factor authentication (2fa) where available.