The Tesco Bank attack – branded unprecedented by top regulators – runs against the trend for hackers to focus on non-banks with lower levels of cyber security, City law firm RPC has warned.
According the law firm data breaches reported by UK banks to the Information Commissioner’s Office halved last year, falling from 23 to 11.
In contrast reported breaches at insurers increased to seven last year, up from four the year before, and Independent Financial Advisors (IFAs) reported nine data breaches both last year and this year.
Last night Tesco Bank said it had resumed normal services for its customers after online transactions from current accounts were suspended following the attack.
The bank said £2.5m has been paid back to approximately 9,000 customers who had money taken from their accounts without their permission.
The number given for the current account customers hit by the fraud is fewer than half of the 20,000 initially reported to have been affected.
Yesterday the National Crime Agency (NCA) launched a criminal investigation into the hack, working with the National Cyber Security Centre and Tesco Bank, to provide "direct assistance to the company at their request, including on-site assistance".
RPC says that the biggest banks have invested heavily in enhancing their cyber-defences in recent years, building extremely robust firewalls and controls.
Phil Tansley, Legal Director at RPC said:
The apparently successful cyber-attack on Tesco Bank is an extremely worrying development and a sign of the scale and sophistication some hackers can achieve. What happened to Tesco Bank clearly demonstrates that UK financial services businesses remain a key target for cyber-crime and that banks’ cyber-defences are not infallible.
However, the overall trend is for hackers to seek to exploit the path of least resistance – as banks have developed better cyber defences attackers have shifted their focus onto smaller, softer targets. The almost unlimited resources deployed by the biggest banks had been seen as displacing cyber-crime elsewhere.