40,000 HIT BY TESCO BANK CYBER HEIST
Fraud gang stole millions by hacking into accounts
AN INTERNATIONAL crime gang stole millions of pounds in the unprecedented cyber-attack on Tesco Bank, it emerged last night.
Fraudsters in Brazil and Spain hit more than a quarter of Tesco’s current-account customers in the biggest ever raid on a British bank.
The bank was forced to freeze all online transactions yesterday, causing further problems for anxious customers who had already faced long waits to speak to staff.
As police investigated the attack – and the crisis engulfing the company deepened – it emerged yesterday that:
Tesco Bank has faced repeated warnings over its lacklustre security systems;
Criminal gangs in Brazil have been targeting its customers for months;
The Financial Conduct Authority and Information Commissioner’s Office are investigating the weekend’s cyber-attack;
The Tory MP who heads the Commons
Treasury Committee called on the bank to explain what had happened.
Tesco saw a sharp fall in its share price yesterday as City regulators began a probe that could result in millions of pounds in fines if a breach of security rules is found.
Experts said the cyber-attack was the most significant ever on a UK bank, leading to fears a criminal network – or even a foreign government – may be responsible.
The National Crime Agency, which tackles organised and international crime, has also started investigating the hack.
Since February, Tesco Bank customers have been targeted by criminal gangs operating in Brazil – a hub of banking fraud – where much of the stolen money was channelled.
The bank yesterday had to apologise after customers accused staff of treating them with ‘complete contempt’ and making derisory offers of £25 compensation.
The security breach unfolded on Saturday night, when criminals are thought to have gained access to Tesco Bank’s computer systems, possibly using log-in information that had been stolen previously.
Customers checked balances online after being alerted to ‘fraudulent activity’ to find amounts from £20 to £3,000 had disappeared.
The firm initially claimed fewer than 10,000 accounts had been affected, but Tesco Bank’s boss yesterday revealed its scale was much more significant.
The head office of Tesco Personal Finance is in Edinburgh and Glasgow-born Bernard ‘Benny’ Higgins is the bank’s chief executive.
Brought up in the city’s Toryglen area, he was a keen footballer and was skipper of the Celtic youth team in the 1970s.
He graduated from Glasgow University with a first-class degree in Maths.
He started his career at Standard Life in Edinburgh and has earned millions from his jobs in finance
Four times married and a father of six, his CV includes an eight-year spell at RBS, where he rose to become chief of retail banking before moving to a similar post at HBOS.
Mr Higgins said hackers gained access to 40,000 of Tesco bank’s 136,000 current accounts, and took money from 20,000.
If each of those affected had £1,000 taken, that would mean £20million was stolen in total.
Tesco Bank, which has more than seven million customers overall, has refused to reveal how much was taken or how the hackers gathered the details of so many customers.
But some customers say that multiple payments were siphoned from their accounts – primarily to firms based in Brazil, but also some in Spain.
Nearly half of Brazil’s residents have fallen victim to banking fraud in the past five years.
Criminals began targeting the bank earlier this year with ‘phishing’ messages that try to trick customers into handing over information. The messages, sent between January and April, secretly redirected users to a number of Brazil-based websites.
Other account-holders suggested the perpetrators may have found a way to access the details of debit cards linked to current accounts.
One said somebody tried to pay for goods in Rio de Janeiro at 9am on Sunday with his card, despite the fact he never used it himself. He said: ‘It appears to the bank that someone has worked out the algorithm to create card numbers and start/end dates.
‘They told us that the specific transaction was a card-holder present and it was a swipe of the magnetic strip-type of transaction.’
Tesco Bank was forced to cancel an unknown number of credit cards earlier this year over a ‘data breach’, and was the target of a widespread phishing scam last year.
Tory MP Chris Philp, who sits on the Commons Treasury Committee, said a ‘very well-equipped organisation’ was behind the attack, and even suggested it may have been ‘state-sponsored’.
He said: ‘I think it is deeply worrying that a respectable institution like Tesco Bank has apparently been victim to a massive-scale hacking operation.’
He also called for regulators to ensure banks spend enough on maintaining their ‘often crumbling’ technological infrastructure.
The committee’s chairman, Tory MP Andrew Tyrie, said he will write to Mr Higgins to demand answers and seek reassurances a similar attack will not happen again.
‘This is just the latest in a long list of failures and breaches of banking IT systems, exposing many thousands of customers to uncertainty and disruption,’ he said.
Tesco Bank was criticised for its hapless response to concerned customers, who faced jammed phone lines as they tried to get answers.
And current-account customers had to endure yet more frustration yesterday as online transactions and debit payments were frozen by the bank.
Experts said the fraudsters may have targeted current accounts as they are linked to a higher number of payments than savings accounts, therefore allowing the criminals more access before the alarm would be raised.
US cyber-security firm boss Tom Kellermann said: ‘It is remarkable how many of these accounts were compromised and then pillaged in a relatively short period of time.’
Professor Alan Woodward, from the University of Surrey, added: ‘I’ve not heard of an attack of this nature and scale on a UK bank where it appears that the bank’s central system is the target.’
Attacks on financial institutions in Britain have risen from five in 2014 to more than 75 so far this year, according to the Financial Conduct Authority.
The attack came days after Chancellor Philip Hammond announced a £1.9billion strategy to deal with the increased cyber-security threat faced by the UK.
Mr Higgins said: ‘We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank.’
‘May have been state-sponsored’