20,000 Tesco Bank accounts raided by hackers, money stolen

Online transactions temporarily disabled, as bank promises to refund victims.

Graham Cluley
Graham Cluley
@[email protected]

20,000 Tesco Bank accounts raided by hackers

Customers of the UK’s Tesco Bank are likely to have their confidence rattled after it is confirmed that tens of thousands of accounts were raided by hackers this weekend.

The Guardian reports:

Tesco Bank has frozen online transactions after customers were affected by fraudulent activity and pledged to refund those who had money taken from their accounts over the weekend.

Benny Higgins, chief executive of the supermarket chain’s banking arm, said the decision to stop online transactions was an attempt to protect customers. He said 40,000 accounts had been affected, half of which had had money withdrawn in what he described as “online criminal activity”.

If you visit the Tesco Bank website you’ll see a statement to concerned customers from Higgins:

Tesco statement

Although Tesco Bank hasn’t shared details of precisely what happened, the scale of the fraud (some 20,000 accounts being plundered) indicates that this wasn’t a conventional attack against individual bank accounts, where victim’s PCs are typically compromised and login credentials stolen.

Sign up to our free newsletter.
Security news, advice, and tips.

Instead the attack’s size suggests that there was a serious security vulnerability in Tesco Bank’s online systems, that allowed fraudsters to gain access and move money out of accounts without having to go through all the usual authentication checks.

That’s the nightmare scenario for an online bank, and there will inevitably be customers who are deeply concerned about what has happened – even if the bank has promised to refund anyone who has had money stolen from them over the weekend.

Some victims report that they have had as much as £600 stolen from their Tesco Bank accounts by the hackers over the weekend.

It’s possible that the thieves resisted the urge to completely empty accounts in an attempt to reduce the chances of triggering alerts inside the bank that unusual transactions were taking place. I wonder if the timing of the attack – over the weekend – was also deliberately chosen by the online criminals.

Tesco Bank will need to work hard and quickly to rebuild the confidence of its customers, or find some of them choosing to jump ship. The best approach is for the bank to be as transparent as possible about what has occurred – as customers will be demanding answers.

Of course, it may take some time for the bank to confirm precisely how the crooks broke in, and to be certain that it cannot ever happen again.

Meanwhile, we can expect the Tesco Bank and the National Crime Agency to be taking a keen interest into where the stolen funds were moved, if there might have been some assistance from a rogue insider, and whether there is any prospect of either having some of the money returned or identifying the culprits.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

5 comments on “20,000 Tesco Bank accounts raided by hackers, money stolen”

  1. J Swinfen Green

    TescoBank have a message on their home page but not on the log in page that many people will no doubt have book-marked. Also when I checked earlier today there were plenty of messages on their Twitter pages but nothing I could find on Facebook or LinkedIn pages. Lots of people complaining about TecoBank's attitude, long waits for phone calls to get answered, and clueless call centre staff. Wonder if they had an adequate response plan in place.

  2. Etaoin Shrdlu

    When I had a Tesco bank account, they issued you with a little card reader for verification. You put your debit card in the gadget, entered your pin, and it displayed a one-time code that you used to log in. My Barclays account still uses this system.

    Then Tesco decided to change to using mobile phone verification, where they would send a code to your mobile each time you logged in, and you used that. I closed my account at that point, because I have no cell phone coverage at home in my rural location.

    Either of these systems seem resistant to the usual user-based hacking approaches, suggesting a server level compromise.

  3. Techno

    It was also Nov 5th, so the criminals may have timed it for the small hours after a national festival when people wouldn't be checking their online bank accounts.

    As Tesco used to be a joint venture with RBS, I expect that Tesco still uses RBS's infrastructure, and we know that RBS infrastructure has had major issues in the recent past. It would also be interesting how much of this infrastructure is outsourced to other countries.

    1. AJC · in reply to Techno

      Tesco Bank now uses an off the shelf American "bank in a box": the website is probably not from the same source.

      Last November (2015) Tesco Bank was crowing that it had adopted AWS cloud as 'business as usual' in eight months.

  4. graphicequaliser

    Looks like a MITM attack since they do not enforce HSTS Preloading.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.