Unprecedented breach at Tesco Bank

Unprecedented breach at Tesco Bank

On Sunday, Tesco Bank confirmed that 9000 customers had had funds removed from their accounts, in an attack which the banking regulator has described as "unprecedented in the UK".


Don’t bank on it…

Updated 22:20 to reflect Tesco Bank’s reduced claim for the number of accounts compromised

On Sunday, Tesco Bank confirmed that 9000 customers had had funds removed from their accounts, in an attack which the banking regulator has described as “unprecedented in the UK”.

From the various reports I have picked up a number of interesting features:1) The bogus transactions are reported to have come from abroad, Brazil having been specifically cited.2) The problem came to light on Sunday morning, which probably meant the attack was deliberately scheduled for a day when foreign attackers used to a 5 or 6 day banking week might have expected the attack to go unnoticed for 24 hours.3) The sheer volume of accounts compromised suggests it was not a matter of a successful phishing run or compromising user authentication details for each account.4) The vector of attack was either systemic, or may have been the result of a prior compromise at a third party (similar to the Target attack in the US last year).5) Each individual reported loss figure appears to be multiples of 300 pounds.

The 300 pounds figure, in particular, looks interesting, given that that is a common withdrawal limit for UK debit cards. Clearly it was caught reasonably quickly, although reading between the lines only after customers started raising the alarm. This puzzles me, because I know from my own experience that my own bank has raised fraud queries with me over foreigh transactions at spending levels much lower than this. As usual, there are two questions associated with this attack: what was the specific vector of compromise, and which protections – if any – should have trapped it failed to?

Tesco Bank have themselves – in promising to reimburse all customer losses from the attack – all but admitted responsibility and that the problem was systemic. I am of the opinion that they should be open and reveal the complete details of their findings once their investigation and remediations are complete, so that others may learn from the experience.

Trust fund?

The consequences of this incident to Tesco Bank could be long-term, and significant. From a purely dispassionate perspective, this will be an interesting scenario to watch play out. But of course there is more to it than that.

Firstly there is the financial impact of the reimbursement, although given any bank’s standing reserves that should be, one might hope, if not trivial then at least undamaging to the bank’s continued operation.

Secondly, as one respected security commentator remarked to the BBC, it can be expected to dramatically affect public trust in the bank, and that could in its turn have significant impact on future business. The financial cost is unpredictable, but it could be noticeable.

Thirdly, not only have some of the bank’s customers been inconvenienced, they are all already being warned – not just by pundits but by the Government’s fraud protection agency – to be on the lookout for further fraud attempts, regardless of whether their accounts were tapped in the original attack or not. The near certainty that this was a mechanistic attack leaves open the possibility that significant customer details were exfiltrated before the monetary facet of the attack began. If they were, the criminals will now be in possession of significant sensitive information, which could allow them to mount further extremely plausible phishing attempts be it by e-mail, by telephone, or old-fashioned postal mail. (That last one is rarely seen these days, due to the inconvenience and cost of handling and sending paper, but if the value of the target is big enough they may consider it worth the effort.)

Fourthly, hypothetically – and this is the real kicker – if this breach was the result of negligence or bad practice it could lead to the banking regulator or the ICO, or perhaps both, getting involved more directly than they already will be, which could eventually lead to the bank facing punitive sanctions.

So here we are back to the drum I beat most commonly when writing about information security: regardless of their field of endeavour, every organisation has an asset that is mostly overlooked – customer trust. Once damaged by an incident – especially one of the severity of Tesco Bank’s – it can be hard to recover. Better, then, to protect it by taking action to prevent malicious attacks by engaging regularly in active penetration testing and security reviews, not just of your own organisation but also of subsidiaries and the supply chain.

  • Recent Articles
Author Details
Founder & CEO at Hedgehog Security

Peter has been in the Information Security world since 1999 and in IT in general since 1996. His work history contains a unique blended balance between the development of exceptional technical capabilities and business knowledge. Peter is a proud father of twins and enjoys GT endurance racing on the weekends.

We would like to keep you informed about our services. Please tick the options below to receive occasional updates via

  • penetration testing steps
    Peter talks to FindMyUkCasino
  • Malware
    SB Tech Breach

    Last week saw SB Tech Breached by the hacking group Maze. It seems that every week the group are announcing more victims.  GameOn asked our CEO Peter Bassill, to give us some insight into the attack. The GameOn article is here.

  • Privacy
    Howto VPn

    In our “How to securely” series we asked our followers what tools they would like a simple guide on to help them stay secure online. There seemed to be a lot of confusion as to what a VPN is and why you should or should not use one. So we asked Peter to help.

  • WhatsApp
    How To Whatsapp Safely

    WhatsApp is among the fastest-growing instant messengers out there, and almost a social network in its own way. But if you are using it, there are some steps you should take to protect your security and privacy.

  • Morrisons Breach Update

    The UK’s highest court ruled that Morrisons can not be liable for a criminal act of a person seeking to harm their business. On April 1st, 2020, a panel of five justices unanimously ruled that Morrisons was not “vicariously liable”.

  • Remote Working Considerations

    With the current pandemic situation, we all need to be taking remote working considerations. While adjusting the work paradym, it is vital to keep a mind’s eye on the security and safety of the businesses information assets

  • Securing Zoom
    How To: Securing Zoom

    In this guide we are looking at how to go about securing zoom. Since the onset of the global pandemic, we have seen surge in “zoom bombing”. This is where people with malicious intent look for in-progress zoom meetings to join and cause trouble.

  • Software Security
    Dell EMC iDRAC memory corruption Vulnerability

    A critical vulnerabiltiy has been identified in Dell EMC iDRAC7, iDRAC8 and iDRAC9. Some unknown processing is affected by this issue. Manipulation with an unknown input can lead to stack based memory corruption.

  • Hiscox Sues for Failing to Disclose Data Breach

    On March 27th, Hiscox Insurance Company Inc. filed a complaint against law firm Warden Grier for concealing a data breach that occurred back in 2016.

  • Software Security
    Privilege escalation on Nginx Controller up to 3.1.x Controller API

    A critical vulnerability has been identified in Nginx Controller up to 3.1.x (web server,) affecting an unknown code block of the component Controller API.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Scroll to Top