Money was taken from around 20,000 Tesco accounts, the bank confirmed today, in an attack that was discovered on Saturday. Customers have been unable to make transactions online as a result of the incident.
Treasury Committee chair Andrew Tyrie MP said today that he would be writing to Benny Higgins, Tesco Bank's chief executive, "to find out what went wrong, and what actions are being taken to reduce the likelihood of it happening again".
Long list of failures
“This is just the latest in a long list of failures and breaches of banking IT systems, exposing many thousands of customers to uncertainty and disruption," said Tyrie.
“At the beginning of the year, I wrote to the regulators urging them to take action to ensure that banks improve the resilience and security of their systems, and their IT expertise.
“Millions of customers remain unnecessarily exposed to the risks of IT failures, including delays in paying bills and an inability to access their own money."
He added: "Making sure that banks improve their IT systems, and their resilience to cybercrime, is also a responsibility of regulators.
"We will raise this issue with them again shortly. We can't carry on like this.”
"The fact that Tesco’s fraud prevention systems identified suspicious activity but failed to decline many fraudulent transactions raises serious questions about the bank’s IT systems and fraud prevention capabilities,” said Jay Floyd, head of fraud strategy and solutions EMEA at ACI Worldwide.
“There are several potential explanations for this attack. It could be a case of internal fraud, where someone with access to the relevant databases has leaked data, or internal team breach, whereby employees working for fraudsters or fraudsters themselves work within call centres and harvest the data over a specific time period.
"The breach could have also originated via internal offshore operations, in countries with lower fraud prevention processes and employee checks, or it could simply be due to external fraud conducted by hackers."
Floyd added: “An attack like this needs to kick-start a complete review of the bank’s internal fraud prevention strategy. Examining the timing of the fraud will also be key; the fact that the attack happened over the weekend when fraud departments can be thin on the ground, is an important factor which needs to be looked at.”
How it was handled
“What’s noteworthy about this particular breach is how it was handled over the weekend," said Andrew Bushby, UK director at Fidelis Cybersecurity.
"While the customer service team at Tesco most likely did it all it could to advise customers, it simply didn’t have enough resources to keep up with the flurry of concern both via phone and social media."
Bushby warned that hackers can attack at any time, meaning companies need to be prepared for whenever they might hit.
"An advisory process needs to be designed beforehand and customer advisers need to be set up to answer questions from potentially affected customers," he added.
"Having a plan of action like this will put the organisation in control, consumers will trust that every precaution has been made to protect their finances, and distress will be minimised."