Frustrating silence over £2.5m UK bank cyber-heist
BRITISH banking executives and security experts are growing frustrated at the dearth of information available more than three months after £2.5 million (R42m) was stolen from Tesco Bank in the UK’s biggest financial cyber-heist.
Security officers normally share information on an informal basis immediately after the incident so other banks can check their systems, sources at four of Britain’s biggest lenders said.
In the case of Tesco Bank, a small lender with annual profits of just £162m, details about the money was stolen and what vulnerabilities were exposed have yet to be provided. Confusion
The case has exposed the lack of proper procedures to share information as well as confusion over which government agency has ultimate responsibility for the issue, lawmakers and executives say.
“It is very frustrating,” a senior executive at one of Britain’s largest banks told Reuters. “The gentlemen’s code has been broken.”
A risk officer at another of Britain’s biggest lenders said a formal regulatory system was essential in a financial centre like London where hundreds of banks of all sizes operate.
“I am not going to criticise them, the problem is the structure,” he said.
The November 5-6 attack, which affected 9 000 Tesco Bank customers, is the first major case to be investigated by Britain’s new National Cyber Security Centre (NCSC), working with the National Crime Agency (NCA).
The NCSC did not respond to requests for comment on the Tesco case.
An NCA spokesman said: “The investigation is ongoing therefore it would be inappropriate to comment further.” Pressure The new body is coming under pressure from the financial industry and lawmakers to act quickly.
“It is up to the NCSC to institutionalise the sharing of information and give some kind of obligation or requirement for feedback after an attack like Tesco Bank,” Troels Oerting, group chief Information Security Officer at Barclays, told Reuters.
A team of academics from the University of Newcastle said in December that a relatively unsophisticated method known as “distributed guessing” could have been used to generate usable card payment details in the November attack.
A spokesperson for the bank, which is owned by leading supermarket chain Tesco Plc, declined to discuss the specifics of the case.
“We continue to work closely with the authorities and regulators in their investigation of the criminal incident that took place last year.
“Our priority throughout has been to look after our customers,” the spokesperson said.
Bank executives and cyber security experts told Reuters in October that they feared Britain’s banks were not reporting the full extent of the cyber attacks to regulators for fear of punishment or bad publicity. – Reuters