A huge number of Tesco Bank’s customers’ accounts were compromised over the weekend, with money reported to have been fraudulently withdrawn from several thousand.
The attack, which is one of the biggest of its kind ever to occur in the UK, affected around 40,000 accounts with money being stolen from 20,000 and “suspicious activity” reported in the remaining half. In response, Tesco Bank issued an apology to affected customers and have temporarily frozen all online transactions while they attempt to resolve the issue.
The Bank said, in a statement, that some of their accounts have been “subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently”.
Benny Higgins, chief executive of Tesco Bank, assured customers that “any financial loss that results form this fraudulent activity will be borne by the bank,” adding that “customers are not at financial risk”.
He said: “We will continue to work with the authorities and regulators to address the fraud and will keep our customers informed through regular updates”.
Several customers have taken to Twitter to complain both about the issue itself and about difficulties they have been having in getting in touch with Tesco Bank over the phone.
As of yet, details of the attack, including the identity of those responsible and their method of entry, have not been made clear. However, independent security experts are saying that the scale of the attack makes it likely that the security fault lies in Tesco’s central system.
Security consultant Alan Woodward, described the attack as being unlike any other previous seen in the UK, saying: “I’ve not heard of an attack of this nature and scale on a UK bank where it appears that the bank’s central system is the target.”
Similarly, digital security expert Graham Cluley said that he believes that “there must have been a serious security vulnerability in [Tesco’s] website.”
Tesco Bank have issued no official statement regarding the amount of money that has been stolen, but some customers have reported losing as much as £700.
Higgins spoke to the BBC, again doing his best to assure customers that Tesco Bank are doing everything the can to try and redress customers who have been left out of pocket, and to stop any further money form being taken.
“That is why,” he said, “as a precautionary measure, we have taken the decision today to temporarily stop online transactions from current accounts. This will only affect current account customers.”
The Information Commissioner’s Office issued a statement in response to the attack, saying: “We’re aware of this incident and are looking into the details. The law requires organisations to have appropriate measures in place to keep people’s personal data secure. Where there’s a suggestion that hasn’t happened, the ICO can investigate, and enforce if necessary.”