View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 7, 2016updated 10 Nov 2016 3:14pm

Tesco Bank Hack – 6 vital questions that need answering

The questions the bank will have to answer about how it was hacked and what happens next

By Sam

Following its admission that 20,000 customers have had money stolen from online accounts and that 40,000 accounts had been breached, CBR put some questions to the bank:

  • Does Tesco Bank employ a Chief Information Security Officer?

(In fact the company lists a Head of IT and Information Security – In August this year the bank said it was hiring – “I’m hiring for several Information Security roles at Tesco Bank. Looking for experienced Security Managers and Specialists. The roles are located out of our Edinburgh offices.)


  • Are Tesco Bank’s current accounts run on standalone discrete IT systems with their own security protection, protocols and policies?
  • Do Tesco Bank operate standalone managed data centres owned and operated by the bank?(We know that in 2012 the bank said it completed the migration of all IT onto to its own systems, ending several years of operating from shared systems with RBS which was the original partner for the bank owning 50% when it started in 2007.)Has Tesco Bank you engaged a computer forensics firm to investigate the breach?

Tesco Bank has yet to comment.

When does Tesco Bank expect the initial report into the scope of the breach?

Tesco Bank has yet to comment.

Apart from the suspension of account activity, what other mitigation procedures have been executed?

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Tesco Bank has yet to comment.


Read 20 key facts about Tesco Bank and its IT systems

Read the story of the hack.

Some industry reaction:

Javvad Malik, security advocate at AlienVault, explains: “Judging by the vast scale of this attack it is likely that a main banking system that was compromised.

“Online banking is generally safe enough and fit for purpose. There are improvements being made, with many banks deploying card-reader or one-time-password tokens to customers which are needed to logon or to pay a new account. I say safe enough, because there is compensation, insurance, and other coverage in place. So as long as customers are refunded their money, and the losses remain within the banking fraud appetite, it remains a viable business model.

“One of the biggest challenges banks in the UK have are around legacy software and systems. Many core banking applications run on old architecture build around mainframes. While these are robust systems and do well in crunching the numbers, the added functionality of online banking, faster payments, etc. all has to be ‘bolted on’ – with many systems resembling a Frankenstein architecture. Years of mergers, acquisitions, and divestments have all compounded the issue.”

Ilia Kolochenko, CEO of web security company, High-Tech Bridge, said: “In the past, similar incidents involved many different approaches: from e-banking system compromise to targeted spear-phishing and social engineering campaigns aimed at infecting bank clients’ machines or mobile devices with sophisticated malware, stealing money from their accounts. A massive skimming campaign cannot be excluded either.

“It is important to highlight that such a large-scale attack with important financial losses would hardly be possible without some insider help to the attackers. Banking system, compliance processes and fraud-prevention systems are usually bank-specific, and in order to bypass them (we can speak about successful bypass, as so many people have already lost their money) we need to have some insider knowledge. Nevertheless, we need to wait for the official investigation results before making any conclusions.”


The Tesco Statement issued after the hack:

Tesco Bank can confirm that, over the weekend, some of its customers’ current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently.

We apologise for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers’ accounts. That is why, as a precautionary measure, we have taken the decision today to temporarily stop online transactions from current accounts. This will only affect current account customers. While online transactions will not be available, current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments and direct debits will continue as normal. We are working hard to resume normal service on current accounts as soon as possible.

 We continue to work with the authorities and regulators to address the fraud and will keep our customers informed through regular updates on our website, twitter and direct communication.

We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank, and we are working to refund accounts that have been subject to fraud as soon as possible.

Benny Higgins

Chief Executive


Topics in this article : , , , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.