Tesco Bank, a Scotland-based bank and subsidiary of U.K. supermarket giant Tesco, recently blocked all online transactions tied to customers’ checking accounts after money was stolen from an estimated 20,000 of those accounts and the bank detected suspicious activity involving another 20,000 accounts, according to CEO Benny Higgins.

On November 9, 2016, the Bank reported that nearly $3 million dollars was stolen from affected accounts, which are operated through an app or online. Customers have reported that sums have been transferred to Spain and Brazil. The Bank said is it first saw signs of fraud on the evening of Nov. 5. Some Tesco customers, taking to the bank’s customer service website, have reported that their accounts were unexpectedly drained over the weekend. Others have reported difficulty in being able to connect with telephone-based Tesco call center staff.  The Bank has stated that it will refund all accounts for every customer affected by the breach.

Scant Details

Tesco has so far avoided referring to the incident as involving either a data breach or a hack attack. But the breach almost certainly involved a system-level compromise, although it’s unclear if insiders, outsiders or both may have been involved.

While it is still unclear as to how the affected customer accounts were breached.  The significant number of victims would be an extremely large number for a phishing campaign so the breach must be within the bank’s systems.

The breach could prove costly not only for Tesco but other banks.   Breaches of this size and scale may take months to fully investigate, and if it is released that the breach was due a vulnerability in the bank’s online systems, it will lead to a lost trust not only in Tesco Bank but may impact people’s confidence with the online systems of other banks.

The big question is how the perpetrators were able to access so many accounts. Internet banking utilizes multi-factor authentication.  Were two-factor authentication tokens compromised?  If so, that could cast a shadow across the whole online banking and finance sector.

As the old adage goes “there is no such thing as a secure network.”  This breach certainly highlights that fact.  A financial institution with more than 7 million customers is going to spend a significant amount of resources on security, and if they can be hacked, if JPMorgan can be hacked, then there really are no such things as secure networks.

There are however well-managed networks.  Is your network adequately managed?  Contact us at pbmares.com to learn more about our cyber security services and how we can help your organization prepare for the growing threats of cyber risk.