£2.5m in pay-outs for Tesco Bank customers following 'unprecedented' cyber hack
Tesco Bank has had to pay £2.5m to 9,000 customers following a cyber-attack last weekend that was described as the first mass hacking of a western bank.
Normal service has now resumed for customers following a freeze in online transactions. Accounts that had lost money were reimbursed last night.
“We’ve now refunded all customer accounts affected by fraud and lifted the suspension of online debit transactions so that customers can use their accounts as normal,” Tesco Bank CEO Benny Higgins said in a statement.
The bank, whose operating income has accounted for as much as a quarter of Tesco’s total in some years, added that no customer data had been compromised.
Yesterday the chief executive of the Financial Conduct Authority (FCA) said authorities were working to find the “root cause” of the breach.
“There are elements of this, as far as we can tell at the moment, that look unprecedented,” Andrew Bailey told MPs at a Treasury Select Committee hearing.
“The heart of concern is what is the root cause of this and what it tells us about the broader threats.”
Committee chairman and Tory MP Andrew Tyrie said the case looked “extremely serious”, affecting around one in seven Tesco Bank account holders.
Tesco Bank had previously said money was fraudulently withdrawn from 20,000 of its 136,000 current accounts over the weekend, with suspicious activity being tracked across 40,000 accounts. It revised the number of affected accounts down to 9,000 on Tuesday.
Customers affected by the transaction block were still able to withdraw cash and use other services like chip and pin payments, while bill payments and direct debits continued as normal Tesco Bank said.
The threat appears to have only affected the “debit card side of online banking”, but Bailey said “further urgent analysis” is required.
Cyber experts said that smaller banks, like Tesco’s, are more vulnerable to attack than global financial institutions, which have bigger cyber security budgets.
JPMorgan, for example, has disclosed that it spends about £500m on cyber security annually.
“Smaller and medium-sized companies may be more vulnerable, many of them have not invested properly in security measures and an incident like this should stimulate them to think again,” said Sergio Romanets, cyber security expert at consultant Greyspark Partners in London.
Reported attacks on financial institutions in Britain have risen from just five in 2014 to more than 75 so far this year, according to FCA data, but bank executives and providers of security systems say many attacks go unreported.
Last year, broadband provider TalkTalk was repeatedly hit with "significant and sustained cyber-attacks" that may have resulted in millions of customer details being accessed by hackers.