Great Tesco bank robbery
Customers’ fury over security breach as cyber hackers plunder thousands from their accounts
FURIOUS customers last night attacked Tesco Bank’s shambolic response to a suspected cyber attack in which thousands of pounds were plundered from their accounts.
The security breach – thought to be the most significant ever on a British bank – caused chaos as thousands of people discovered money had been stolen from their savings accounts over the weekend.
They were then forced to wait for hours to speak to the bank – only to be offered a derisory £25 in compensation.
Tesco Bank assured customers on Saturday night that it had frozen the targeted accounts, but many said money was still being siphoned off yesterday afternoon.
Tesco refused to say how many customers had been affected, saying only that a ‘small proportion’ of its 7.8million accounts
‘They offered me £25, which is laughable’
were involved. At one stage it claimed that fewer than 10,000 had been targeted.
The attack will raise fresh concerns about internet security, with experts warning that online banking was becoming an increasingly popular target. Tesco Bank customers, many of whom were left without money after their payment cards were blocked, questioned how their bank’s supposedly robust security systems had been breached.
And they accused the company of treating them with ‘complete contempt’ after they were forced to spend hours desperately trying to get through to staff on jammed phone lines.
The apparent cyber attack unfolded on Saturday night when the bank warned customers about suspected ‘fraudulent activity’. After the alert, many customers discovered that sums of up to £3,000 had been skimmed from their accounts through unauthorised payments made to mysterious companies, including accounts in Brazil.
Customers were told to contact the company immediately after receiving the warning, but said their repeated calls and queries went unanswered.
Many waited anxiously for up to 18 hours, fearing they had lost much of their savings after failing to receive reassurances from bank officials. Tesco Bank yesterday promised defrauded customers a full refund within 24 hours and said cancelled cards would be replaced within ten days.
But customers criticised the decision to block their cards, leaving many of them without access to money over the weekend, and rejected the meagre compensation on offer.
One customer wrote on Tesco Bank’s customer forum yesterday: ‘Because of your failure to be open about this, I have moved all of the money in my Tesco current account to another bank.’
Another added: ‘I will be moving my money, not because I am worried about fraud but because the response to this incident has been appalling and shows complete contempt for customers.’
Business analyst Ajeet Khatri, 38, from Ilford, Essex said three payments of £1,000, £900 and £25 were siphoned out of his account on Saturday night and paid to two unknown companies.
Alan Baxter, from Berwickupon-Tweed, was left with just £21.88 after £600 was taken.
After waiting for an hour to get through to the bank, he said an operator simply took his details and promised to get back in touch within 48 hours. ‘They offered me £25 compensation which I think is laughable,’ he said. ‘I’ve got food and petrol to pay for.’
Jamie Davies, 60, said he spent hours trying to phone the company after receiving a warning message at 10.20pm on Saturday. The software company manager, from Cambridge, said: ‘These things can happen but the real test is how quickly you respond to it. But having asked us to call we just could not get through.’
Dr Christopher Richardson, head of Bournemouth University’s cyber security unit, said attacks on banks were an ‘ongoing problem across the world’.
‘The whole supply chain of internet banking is fraught with the ability to fraud,’ he said.
Online security experts said there were numerous ways in which cyber-criminals could have orchestrated the apparent attack on Tesco Bank.
Some said the thieves may have secured data via a phishing scam – where customers are tricked into revealing online login details through bogus emails or texts disguised as genuine messages from their bank – over a period of time before deciding to use the information in a targeted strike.
A third-party company used by the bank to process money may also have been targeted.
Tesco Bank said last night: ‘We are investigating the cause of the incident and looking at all potential scenarios. Our first priority is protecting customer accounts and refunding them.’