Poor Tesco. Just as it seemed to be moving on from one of the biggest British corporate scandals of recent times (and scoring a few reputational points by winning the Marmite wars) it has discovered another spanner in the works. This time it’s in the form of a cyber attack, and not just any old hack - one affecting as many as 40,000 of its banking customers.
This morning Tesco Bank chief Benny Higgins admitted that ‘some’ of its customers’ accounts ‘have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently.’ As a result it has temporarily frozen all online transactions from its current accounts, including the use of debit cards to shop online. ‘We apologise for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers’ accounts,’ Higgins said.
Of course we hear about cyber attacks all the time nowadays. From TalkTalk to Yahoo, barely a month goes by without some big company admitting thousands of its customers have had their data stolen. But the specifics of this attack are quite extraordinary. While most hackers manage to steal reams and reams of addresses, emails and passwords, and often bank account numbers, a criminal gaining direct access to this number of bank accounts over the course of a couple of days is seemingly unprecedented. ‘I've not heard of an attack of this nature and scale on a UK bank where it appears that the bank's central system is the target,’ security consultant professor Alan Woodward told the BBC.
There are several theories doing the rounds as to how the fraud might have occurred. It could have simply been the result of mass phishing - where customers give away their own details after clicking on dodgy links - but the size and speed of the attack (especially given the bank only has a total of 136,000 current account holders) suggests it was something more direct.
It’s left many of the bank’s customers fuming, and quite reasonably. Those affected will of course be reimbursed soon. It’s not entirely clear how much that will cost the bank, but with some customers reportedly short thousands of pounds it will surely be a big wedge. Higgins says the total amount Tesco has to repay will be ‘a big number but not a huge number’ (perhaps a line he used when trying to justify spending £18,000 on taxi expenses in eight months). Some customers have been offered £25 by way of additional compensation for the inconvenience, a derisory amount that will have only frayed tempers further.
Of course the real cost will come later in the form of reputational damage. I don’t know about you but I’m certainly in no hurry to go out and switch my current account to Tesco now. While people might forgive TalkTalk for neglecting to keep their email address secure, allowing your customers’ cash to be stolen directly from their account is a whole other level of disaster.
The thought of this kind of attack is exactly what has those running Britain’s big banks waking up in cold sweats. If increasingly-sophisticated hackers managed to get a similar amount of access to accounts held by the likes of HSBC, RBS, Barclays and co. then expect real panic. The public already has a sanguine view of Britain’s financial sector, but for now they at least trust it to keep their cash secure. If that trust were to go up in smoke then the banks – and the wider economy – would be in big trouble.
Image source: Rept0n1X/Wikimedia