Tesco Bank freezes online transactions after fraudulent activity – updated

Tesco Bank has frozen all online transactions after fraudulent activity was discovered on 20,000 current accounts. The bank has 7.8 million customer accounts across the UK, of which 136,000 are current accounts.

Tesco Bank’s chief executive, Benny Higgins, confirmed that “some of its customers’ current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently”. He said that affected customers would be refunded.

According to the Daily Telegraph, “The attack is believed to be the worst banking security failure to date, in terms of numbers of people affected, although Tesco has downplayed the sums of money involved.”

The Financial Conduct Authority, the National Crime Agency and the Information Commissioner’s Office have all been informed and are investigating. The Financial Times reports that a spokesman for the ICO said: “The law requires organisations to have appropriate measures in place to keep people’s personal data secure. Where there’s a suggestion that hasn’t happened, the ICO can investigate, and enforce if necessary.”

Financial sector security

The financial sector is becoming increasingly concerned about fraud following a series of high-profile wire fraud incidents in this year, the worst of which, in terms of losses, was the theft of some $81 million from Bangladesh’s central bank in early 2016.

The interbank messaging service SWIFT, having come under pressure to improve cyber security in the financial sector and reduce the risk of wire fraud, duly introduced a new set of core security standards this September to “raise the security bar for customers on the SWIFT network”.

More than 11,000 banking and securities organisations, market infrastructures and corporate customers in more than 200 countries use SWIFT’s messaging platform, products and services. All of them are required to comply with SWIFT’s new baseline cyber security controls by 1 January 2018.

We’ll update this blog when more details about the Tesco Bank incident become available.

Update: 9 November 2016

Last night, Tesco Bank announced that “normal service has resumed” for its customers. Providing more details about the incident, the bank confirmed that 9,000 current account holders were identified as victims of fraud – less than half the number originally estimated – and the cost of refunding them is an estimated £2.5 million. No personal data was compromised.

Tesco Bank CEO Benny Higgins said: “Our first priority throughout this incident has been protecting and looking after our customers and we’d again like to apologise for the worry and inconvenience this issue has caused.”