Tesco Bank on the hook for 40,000 refunds with supply chain vulnerability cited as possible cause
The theft of funds from thousands of Tesco Bank accounts in a single weekend is by far the biggest crime of its kind. When it comes to data theft, similarly sized breaches at blue chip companies are reported regularly, but until now banks have been largely successful in insulating customer funds from cyber attack. But the Tesco Bank fraud, which affected 40,000 accounts with customers reporting the disappearance of as much as 600, is the first time ever that such a large number of customers at a major bank have lost money as a result of a single, coordinated attack.
The bank, which is owned by the eponymous supermarket giant, has temporarily frozen online transactions and pledged to refund those affected. Although Tesco Bank is yet to confirm how attackers gained access to their network, one serious possibility is that a third-party retail partner was compromised. Businesses like Tesco must ensure they have some form of behavioural monitoring solution in place at all times, to identify and combat any breaches and suspicious activity from staff and partners alike immediately. Dr Jamie Graves, CEO at behaviour analytics developer ZoneFox Very real and very serious What is worrying for Tesco is that the now infamous Target breach in 2013 followed a similar trend, and of course resulted in record amounts of customer information being compromised, said Dr Jamie Graves, CEO at behaviour analytics developer ZoneFox. What is clear here is that the issue of supply chain or partner security is very real and very serious, given these partners can have a great deal of access to an organisation like Tesco s network. This effectively makes them an insider or trusted party within the walls of that company. As with any insider or trusted partner, if proper monitoring is not put in place, then security incidents like the one that happened over the weekend can occur quickly and without warning. In order to identify and remedy the situation as fast as possible, businesses like Tesco must ensure they have some form of behavioural monitoring solution in place at all times, to identify and combat any breaches and suspicious activity from staff and partners alike immediately. Supply chain vulnerabilities was also highlighted as a major issue by Advent IM founder Mike Gillespie in a recent interview with IFSEC Global.
Once you re inside a supply chain entity, it s often easier to move down networks from inside than it is to attack a fortress from the outside, he said. Businesses need to think about what s in their supply chain up and downstream from themselves. If just one of our suppliers has no cyber security, then the whole of our supply chain is potentially compromised. One Tesco Bank customer has reported that cash had been withdrawn from his account, apparently from Rio de Janeiro in Brazil, in four separate transactions. Another customers has reported that online transactions totalling 300 had been sent without their knowledge to two companies she had never heard of. Suspicious activity The bank s telephone helpline was then unable to cope with the deluge of phone calls from customers, many of whom could not get through. Benny Higgins, CEO of Tesco Bank, said 40,000 accounts had been affected ( the bank has seven million customers in total), half of which had had money withdrawn over the weekend in what he described as online criminal activity . The bank sent text alerts to account holders late on Saturday when it detected suspicious activity on multiple accounts. The Financial Conduct Authority is monitoring the situation.
The National Crime Agency said it had been notified by Tesco Bank and was coordinating a response among law enforcement agencies. Higgins said: While online transactions will not be available, current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments and direct debits will continue as normal. We are working hard to resume normal service on current accounts as soon as possible. The fraud will be a hammer blow to the bank s efforts to elbow its way into the big four of Lloyds, RBS, HSBC and Barclays. An ICO spokesperson said: We re aware of this incident and are looking into the details. The law requires organisations to have appropriate measures in place to keep people s personal data secure. Where there s a suggestion that hasn t happened, the ICO can investigate, and enforce if necessary .
Download: The Video Surveillance Report 2016 This exclusive report covers the security needs of surveillance systems as shaped by the physical environment including: What do security professionals think about plug-and-play systems Challenges like low-light conditions or large spaces and the threats posed in various sectors Which cutting-edge features such as mobile access, PTZ smart controls or 4K resolution are most important to security professionals What are the most important factors driving upgrades and would end users consider an upgrade to HD analogue Download the full report here.