The party is ON! Join us at TNW Conference 2021 in Amsterdam for face-to-face business!

The heart of tech

This article was published on November 7, 2016

    20,000 Tesco Bank customers lose thousands in online attack

    20,000 Tesco Bank customers lose thousands in online attack Image by: Oli Scarff
    Matthew Hughes
    Story by

    Matthew Hughes

    Former TNW Reporter

    Matthew Hughes is a journalist from Liverpool, England. His interests include security, startups, food, and storytelling. Follow him on Twi Matthew Hughes is a journalist from Liverpool, England. His interests include security, startups, food, and storytelling. Follow him on Twitter.

    Tesco Bank has suspended online payments after hackers were able to break into its systems and drain the accounts of tens of thousands of its customers.

    There are conflicting reports as to how many accounts have been affected. According to Benny Huggins, CEO of Tesco Bank, 40,000 accounts have had suspicious transactions, while the BBC’s finance correspondent Simon Gompertz said that 20,000 accounts have had money taken.

    As a precautionary measure, the bank has blocked the debit cards of those accounts thought to be affected. It has also pledged to refund any monies lost through the hack. Higgins has said that the total amount stolen was a “big number but not a huge number”.

    It’s not immediately clear how the hack took place. Speaking to Business Insider, Cliff Moyce, global head of financial services at DataArt, said that the timing of the attack would have helped. By orchestrating it on a weekend, the bank had less staff in the office, and was therefore less able to identify and quickly mitigate against the threat.

    Morce added that the chance of the attack being a “remote technical hack” is less than fifty percent. He said that it’s far more likely the action (or inaction) of a human actor, or a sloppy data management protocols.

    “Tesco will need to investigate the possibility of an ‘economic hack’ in which an offshore employee is offered multiples of their annual salary in return for a tranche of customer data. But incompetence (e.g. weak control) rather than ill intent from an employee or sub-contractor remains the more likely factor to be correlated with the malintent of the criminals.”

    Several people have taken to Twitter to complain about their missing funds. Londoner Ajeet Khatri said that £2000 is missing from his account, while another Twitter user complained about a missing £1600. Many are also angry at the long wait times to speak to a customer representative, with some reporting two hour waits to speak to someone.