Tesco Bank has announced that hackers compromised an estimated 40,000 accounts, at least half of which had varying amounts of money stolen from their owners. Forget ATMs or mobile apps: The future of digital bank heists involves hitting the systems on which the banks themselves have come to rely.
Consumers in the United Kingdom were first told about the problems with their accounts via text messages sent on Sunday. But the nature of the problem — and the fact that it affected tens of thousands of people — wasn’t made public until Tesco Bank CEO Benny Higgins released a statement on Monday.
“Tesco Bank can confirm that, over the weekend, some of its customer’s current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently,” Higgins explained. (He also said that the bank will be responsible for any missing funds.)
But those hacks differ because they target easy-to-access devices (ATMs) or individuals (using malware to steal login data from mobile apps) instead of the banks themselves. Tesco Bank said that it’s working with the proper authorities to investigate the breach, but otherwise it has stayed mum about how the hackers managed to compromise the systems used to handle customer accounts.
The scope of this hack doesn’t bode well. Updating an ATM’s software or helping people recover after someone compromises their login credentials is one thing. Figuring out how someone got into a more vital system — and that’s likely what happened, given how many accounts were affected by this hack — to resolve that problem is another problem entirely. Perhaps Tesco Bank had a vulnerability that was easy to exploit; maybe it was a more sophisticated hack. We don’t know yet.
This makes the Tesco Bank hack more similar to the SWIFT hack from earlier this year that allowed people to steal $81 million in the biggest digital heist to date. That hack targeted critical infrastructure, and it’s got banks around the world concerned.
Tesco Bank customers told the BBC that they lost anywhere between £20 and £600. The company said that it’s in the process of reimbursing those customers now, and that it’s hoping to resolve all problems by Wednesday. Other information — what systems were affected, for how long, and how much money was stolen — hasn’t been shared.