Adam Bannister

Editor, IFSEC Global

Author Bio ▼

Adam Bannister was Editor of IFSEC Global from 2014 through to November 2019. Adam is also a former Managing Editor at Dynamis Online Media Group.
November 7, 2016

Sign up to free email newsletters


The State of Physical Access Control in EMEA Businesses – 2020 Report

Tesco Bank on the hook for 40,000 refunds amid speculation that supply chain vulnerability is to blame

tesco-bankThe theft of funds from thousands of Tesco Bank accounts in a single weekend is by far the biggest crime of its kind.

When it comes to data theft, similarly sized breaches at blue chip companies are reported regularly, but until now banks have been largely successful in insulating customer funds from cyber attack.

But the Tesco Bank fraud, which affected 40,000 accounts with customers reporting the disappearance of as much as £600, is the first time ever that such a large number of customers at a major bank have lost money as a result of a single, coordinated attack.

The bank, which is owned by the eponymous supermarket giant, has temporarily frozen online transactions and pledged to refund those affected.

Although Tesco Bank is yet to confirm how attackers gained access to their network, one serious possibility is that a third-party retail partner was compromised.

“Businesses like Tesco must ensure they have some form of behavioural monitoring solution in place at all times, to identify and combat any breaches and suspicious activity from staff and partners alike immediately.” Dr Jamie Graves, CEO at behaviour analytics developer ZoneFox

“Very real and very serious”

“What is worrying for Tesco is that the now infamous Target breach in 2013 followed a similar trend, and of course resulted in record amounts of customer information being compromised,” said Dr Jamie Graves, CEO at behaviour analytics developer ZoneFox.

“What is clear here is that the issue of supply chain or partner security is very real and very serious, given these partners can have a great deal of access to an organisation like Tesco’s network. This effectively makes them an ‘insider’ or ‘trusted party’ within the walls of that company.

“As with any insider or trusted partner, if proper monitoring is not put in place, then security incidents like the one that happened over the weekend can occur quickly and without warning.

“In order to identify and remedy the situation as fast as possible, businesses like Tesco must ensure they have some form of behavioural monitoring solution in place at all times, to identify and combat any breaches and suspicious activity from staff and partners alike immediately.”

Supply chain vulnerabilities was also highlighted as a major issue by Advent IM founder Mike Gillespie in a recent interview with IFSEC Global. “Once you’re inside a supply chain entity, it’s often easier to move down networks from inside than it is to attack a fortress from the outside,” he said.

“Businesses need to think about what’s in their supply chain up and downstream from themselves. If just one of our suppliers has no cyber security, then the whole of our supply chain is potentially compromised.”

One Tesco Bank customer has reported that cash had been withdrawn from his account, apparently from Rio de Janeiro in Brazil, in four separate transactions. Another customers has reported that online transactions totalling £300 had been sent without their knowledge to two companies she had never heard of.

Suspicious activity

The bank’s telephone helpline was then unable to cope with the deluge of phone calls from customers, many of whom could not get through.

Benny Higgins, CEO of Tesco Bank, said 40,000 accounts had been affected ( the bank has seven million customers in total), half of which had had money withdrawn over the weekend in what he described as “online criminal activity”.

The bank sent text alerts to account holders late on Saturday when it detected suspicious activity on multiple accounts.

The Financial Conduct Authority is monitoring the situation. The National Crime Agency said it had been notified by Tesco Bank and was coordinating a response among law enforcement agencies.

Higgins said: “While online transactions will not be available, current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments and direct debits will continue as normal. We are working hard to resume normal service on current accounts as soon as possible.”

The fraud will be a hammer blow to the bank’s efforts to elbow its way into the “big four” of Lloyds, RBS, HSBC and Barclays.

An ICO spokesperson said: “We’re aware of this incident and are looking into the details. The law requires organisations to have appropriate measures in place to keep people’s personal data secure. Where there’s a suggestion that hasn’t happened, the ICO can investigate, and enforce if necessary”.



Learn about protecting critical national infrastructure in this exclusive webinar

Catch-up with IFSEC International's unmissable Digital Week webinars to discover how the security industry is protecting CNI during COVID-19, featuring BRE's Richard Flint, Iain Moran from ATG Access, Technocover's John Barty and Russell Ridgway of Barkers Fencing.

Sign up for free to watch the webinar and complete your lockdown learning!


Related Topics

Notify of
Inline Feedbacks
View all comments