"The Money Has Vanished": Tesco Bank Halts Online Payments After Cash Taken Out Of 20,000 Accounts

While we doubt this particular intrusion will be blamed on Russian hackers, thousands of British citizens were unable to access their money today when Tesco Bank, the lending arm of the U.K.’s biggest grocer, said it suspended online transactions after about 20,000 customers had money fraudulently taken from their accounts. Tesco Bank has more than 7 million customer accounts in total across a range of products like insurance and mortgages.

According to Bloomberg, about 40,000 of the bank’s 136,000 checking account holders experienced suspicious transactions over the weekend, Tesco Bank Chief Executive Officer Benny Higgins told BBC Radio 4’s Today program. Roughly half, or 20,000, had money taken from their account. The problem has only affected checking accounts, a representative for the bank said. Customers can still use their account to withdraw money from cash machines or to pay for goods at a retailer, Higgins said. Any financial loss will be borne by the bank and customers are not at financial risk, he said.

Tesco has yet to use the word "hacking" to describe the breach, and CEO Higgins added tbat he was "very hopeful" customers would be refunded within 24 hours.

All Tesco Bank will say is that it has been the victim of "online criminal activity" so there was little detail on the nature of the attack, the BBC noted. But what is different is that it involves tens of thousands falling victim in a 24 hour period to what appears to be an automated process, rather than individuals clicking on links in phishing emails or having their details stolen after downloading malicious software.

That could involve the attackers exploiting a vulnerability in the bank's website - or even gaining physical access to a branch and then the central systems. Whatever has happened, the damage to trust in Tesco Bank and online banking in general will be greater than the financial cost.

Tesco customers complained on the bank’s website of seeing amounts varying from 20 pounds ($24.80) to 600 pounds missing from their accounts. The U.K. Financial Conduct Authority is aware of the matter and working with the bank on it, a spokeswoman said.  Tesco Bank started offering checking accounts in 2014. The declining fortunes of Tesco’s domestic supermarket business means the bank represented about 17 percent of group operating profit in the last financial year.

One cybersecurity expert said this could be an unprecedented breach at a British bank.

"I've not heard of an attack of this nature and scale on a UK bank where it appears that the bank's central system is the target," said Prof Alan Woodward, a security consultant who has worked with Europol.

Over the weekend, customers complained about money being withdrawn without permission, cards being blocked and long delays to get through to the bank on the phone.

Kevin Smith, from Blackpool, told BBC he had lost £500 from one account and £20 from another. He said: "I was just about to go to bed when I received a text message from Tesco saying there had been fraud on my account. So of course you panic."

Alan Baxter, from Berwick-upon-Tweed, said he had lost £600, leaving him with just £21.88 in the bank. He said: "Tesco said they couldn't offer me emergency funds but would offer £25 as a goodwill gesture.
"I've got food and petrol to pay for. I have a delivery of coal coming tomorrow for our coal-fired heater and I won't be able to pay."

'Money has vanished'

Other customers complained on Tesco Bank's website and through social media about long delays when calling the company's customer service line to find out if their account was affected. Mark Noakes, from Thrapston, told the BBC: "Looked at my account this morning to find a large hole! There was £2 in there; there should have been a lot more!

"Finally got through to customer services to be told it would take 48 hours to sort as there had been a lot of transactions on my account that could not be linked to me or my wife.

"For such a big company they are not being professional. I'm doing well compared to some others as I have another bank account and this will all get sorted somehow."

As Bloomberg notes, some of the world’s biggest financial institutions, including JPMorgan Chase & Co., HSBC Holdings Plc and the Federal Reserve Bank of New York, have all been cyberjacked in some way in the past couple of years. In the second quarter of this year, there was a 50 percent jump in activity by cybercriminals injecting malware programs into financial companies worldwide from the same period in 2015, according to Kaspersky Lab, a global cybersecurity company.

The crime was committed at a time “when banks are typically understaffed and will respond more slowly,” Cliff Moyce, global head of financial services at consultant DataArt, said by e-mail. “Automated fraud detection systems appear to have worked well, but a lack of people at desks will not have helped.

* * *

A National Crime Agency (NCA) spokesman confirmed it leading the investigation into the case, but stressed there was "no set formula" for dealing with cyber attacks, which tend to "vary in terms of sophistication".  "It will be investigated and hopefully that will lead to action and arrests," he said.

The UK's data regulator, the Information Commissioner's Office, also said it was looking into the case and could investigate if customers' personal data has not been kept secure. Tesco Bank said: "We continue to work with the authorities and regulators to address the fraud and will keep our customers informed through regular updates on our website, Twitter, and direct communication."