Daily Management Review

20,000 Tesco Bank Accounts Lose Money to Cyber Fraudstars


20,000 Tesco Bank Accounts Lose Money to Cyber Fraudstars
20,000 customers’ accounts of Britain's biggest retailer Tesco had their money removed after 40,000 customers' accounts were attacked over the weekend.
Adding to growing concerns about the British financial sector's vulnerabilities to cyber attacks, which have jumped in frequency over the past two years, the hack is the first on a British bank known to have resulted in customers losing money.
Although customers could still use their bank cards in shops and to withdraw money from cash machines, Tesco Bank, which manages 136,000 current accounts, stopped all online transactions while it worked to resume normal service.
"Any financial loss that results from this fraudulent activity will be borne by the bank. Customers are not at financial risk," Tesco Bank Chief Executive Benny Higgins told BBC radio.
"We think it would be relatively small amounts that have come out but we're still working on that," he said, adding that he expected the cost of refunding customers would be "a big number but not a huge number".
With about 2 percent of current accounts, and represents only a small part of Tesco's overall business, the bank is a minnow in Britain's retail banking market.
In the first half of its 2016-17 financial year, it contributed 503 million pounds ($623.4 million) to the group’s revenue of 24.4 billion pounds.
Tesco Bank risks serious reputational damage from an attack that affected 29 percent of its customer current accounts even though the financial hit to the group may be limited.
The Financial Conduct Authority (FCA) which regulates the sector said it was not aware of any previous incident in which customers had lost money even though other British banks have been targeted by cyber attacks in recent years.
While bank executives and providers of security systems say there are many unreported attacks on British banks even as FCA data shows that reported attacks on financial institutions in Britain have risen from just five in 2014 to over 75 so far this year.
Even though HSBC’s customer funds were not at threat during that breach earlier this year after its UK personal banking websites were shut down by a “denial of service” attack, the bank did issue a series of apologies to customers.
Reduced staffing levels over the weekend were likely to have been one of the reasons for the impact of the hack, said Cliff Moyce, global head of financial services at DataArt, a network of technology consulting and software services firms.
"The clever part was doing it over the weekend when banks are typically understaffed, and will respond more slowly. Automated fraud detection systems appear to have worked well, but a lack of people at desks will not have helped," he said in a comment emailed to media.
Telecoms firms TalkTalk and Vodafone, business software provider Sage and electronic goods retailer Dixons Carphone are some of the other well-known British brands hit by significant cyber attacks over the past year.