Startling Holes in Our Cybersecurity Network: The Tesco Bank Hack
Tesco Bank, the British retail bank run by the UK’s largest supermarket chain, lost approximately 2.5 million pounds this month after hackers broke into the accounts of more than 9,000 customers. The bank has pledged to reimburse customers who lost money and ultimately decided to suspend online banking for all of its 136,000 customers. Spokespeople claimed that personal data had not been compromised in the hack and that customers do not need to change their passwords, yet the sheer scope of the attack has made security experts uneasy.
The company first caught on to the breach on Saturday, November 5, and immediately began texting customers who had been affected. Many customers saw their money being moved out of Tesco accounts via overseas transactions to Spain and Brazil. Although there was initial concern that the hack was an inside job, aided by a bank employee, it is now being marked up to general human error and a failure to create a truly secure system.
This attack represents a major modern shift in cybercrime, from attacking individual customers to attacking an entire bank in one go. Perhaps the most troubling discovery in the wake of the hack was that Tesco had been warned by the security firms CyberInt and Codified Security about the weaknesses in its system, which the company did not respond to. No company can be expected to track every spam email about cybersecurity that floods its inbox, but in this case, if the reports from Codified Security truly were purposefully ignored, it reveals a dangerously cavalier attitude toward cybersecurity at the Tesco Bank headquarters.
Defenders of the bank have argued that the hack was successful because it took place during the weekend, when the technical staff were not at their desks, responding to customer reports and warning signs like they would during the work week. Regardless of the timing of the attack, the amount of money shifted from customer accounts is disturbing, especially as it is only the latest in a string of high profile hacks this year. Almost two years ago, the Bank of England highlighted cybercrime in the meetings of its financial policy committee, noting that banks were woefully unprepared for large scale attacks on their databases, but that warning came and went with very little impact.
It is not only smaller, less conventional banks like Tesco that have been targeted: in January of this year, HSBC shut down its mobile banking platform after a distributed denial of service attack. Tesco Bank is a relative mom and pop bank compared to the global behemoth that is HSBC, which explains why it did not have the same early warning notifications and success that HSBC did when shutting down the January hack. No bank, either electronic or brick and mortar, is definitively safe but when hundreds of accounts are being attacked, there is a clear issue with security. Tesco Bank will take a major hit in the wake of the attack but rather than lying back and celebrating the decline of a competitor, other UK banks–and banks around the globe–should be rushing to their own cybersecurity teams to repair the weaknesses that could be exploited in the next great hack.