Some 40,000 Tesco bank accounts have been frozen following online fraud attacks, with money taken from some 20,000 customers. Social Media comments have been made since Saturday when the fraudulent activity was first spotted.
A statement has been released by the Chief Executive, Benny Higgins, explaining why action has been taken to temporarily stop online banking for current accounts, and explaining that the bank is working with the authorities and Regulators. He has further stated that ‘We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank, and we are working to refund accounts that have been subject to fraud as soon as possible.’ Whilst this will be of some solace to customers that have been impacted, there have been a significant number of complaints about the lack of information and long call centre delays. There have been reports of those who have managed to get though who have then been dissatisfied by the inability of the staff to deal with concerns.
From an information security perspective, this breach raises several questions. It is staggering that such a breach has been able to occur, tackling individual accounts in this way. At least it has not happened towards the end of the month, when many people are paid and have direct debits and standing orders due to go out, but there is a significant number of people who have been left without money to purchase food, fuel and pay bills..
Automated texts do appear to have been efficient at alerting customers to the fraudulent activity. However, Tesco Bank do not appear to have been particularly effective in responding to customer queries, and ensuring that calls from concerned customers could be handled promptly. Disruptions do increase call centre usage, and this should be noted within incident response plans.
The immediate focus is refunding the stolen monies. It is not clear how much has been stolen; sums appear to range from small to a couple of thousand. Longer term, it is will interesting to understand what data has been breached. Banks hold a significant amount of personal data, and I am curious to know whether customers will be advised to simply change passwords, or whether more fundamental account details will have to be updated.
It is often noted that information security breaches can take a significant length of time to be discovered. In this case, the fraud text alert system has certainly been effective. However, cyber crime has long been a concern in the banking industry, with the Bank of England highlighting “a tendency among [banking] firms to view cyber-threats as a technical problem rather than an issue which merits board-level attention given the evolving nature of cyber-threats and the key importance of cyber-resilience to continuity of financial services”.
There have been previous reports about Tesco Bank and privacy concerns, including during 2010, 2012, 2014, and February 2016. Given this trend, it would appear that Tesco Bank could do more to ensure the on-going maintenance, monitoring and continual improvement of their information security!
The Tesco Bank website states that the ‘security of your accounts is a priority for Tesco Bank’; customers will now be wondering how secure is secure?
Written by Helen Molyneux