Money was taken out of 20,000 accounts, at minimum
Tesco Bank has had to suspend all online transactions for its users today after hackers compromised at least 40,000 accounts and then withdrew money from half of those.
In a statement posted to Facebook, CEO Benny Higgins wrote, “This afternoon we began the process of refunding all customer current accounts that have been subjected to online criminal activity and we expect this process to be completed by the end of tomorrow.”
Some customers found that they had lost as much as $868 from their accounts before service was halted. New debit cards will be issued within 7 to 10 days to customers who were affected, while direct debt and bill payments are still operating normally.
The breach, as well as customer complaints about a lack of timely support from the bank’s help desk – as of this past May, Tesco Bank does not have any actual branch buildings – comes as it continues to expand the range of its services offered, including mortgages, FOREX, and insurance.
Tesco has been moving well along as a financial institution. The e-commerce applications of being both a fintech entity and retail provider are lucrative enough that other supermarkets have gotten into the business, leveraging the data they have about their customers’ behavior in both spheres to cross-sell goods and services.
Tesco Bank, founded in 1997 in competition with rival supermarket chain Sainsbury’s own baking operations, now has about 7.8 million customers.
(In an unrelated incident in September, some customers’ accounts were double charged, but this was due to a processing error, not malicious action.)
We have reached out to Tesco for more details on the attack, and what will be done to address it as well as possible legal implications.
Financial institutions’ common targets
The company has not released any details of how their systems were compromised. As Geektime has previously reported, though, one common technique is to use spear phishing emails to get into bank employees’ email accounts with emails containing malware that spreads into internal systems to manipulate transaction requests. The Financial Times also notes that an SQL injection could have been used. If this is the case, it would perhaps be similar to the case of the April hack of Qatar National Bank’s customer database.
A structure query language (SQL) attack is one of the least complicated hacking tools available, yet many institutions are still quite vulnerable to it. It works by giving hackers access and editing permissions for a company’s database server. This allows them to impersonate users, change security settings, and issue new commands. The database thinks it is responding to a valid request and then pulls out the information the hackers wanted, or even lets them go in and edit the data.
(A DDoS attack could also be used, in theory, but no major bank is known to have had user information compromised by hackers using the window from this disabling effect to steal data.)
While many solutions already exist to stop SQL and try to catch malware, financial institutions may also consider adopting technology that would redirect these attacks to dummy systems.