View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 14, 2016

Tesco was warned before hack – claim cyber security firms

Reports say dark web chats described the bank as a cash machine

By Sam

Tesco Bank was warned about criminals boasting on the dark web that they could easily steal money from the online bank in the weeks before it revealed that 9,000 accounts were breached and £2.5m stolen.

Reports in the said Cyberint, a security firm said it had found and warned Tesco Bank about conversations found on forums claiming that it was a ‘cash milking cow’ and that it was ‘easy to cash out.’

There is no evidence that he boasts and the subsequent large scale hack were linked.

Last week it issued prepared statements acknowledging the hack, apologising and saying that money had been refunded.

The FT reported that another company, Codified security said its researchers found vulnerabilities but were rebuffed when they tried to contact the bank.

Tesco told the FT that it received lots of approaches from consultants.

Other reports in the Sunday Times said that the money stolen had been used by a gang purchasing thousands of low priced goods using contactless mobile phone payments in Brazil and the US.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

CBR asked experts what the Bank had to do next and if it were likely that any arrests would be made?


Tesco Issued the following statement on Nov 8th.

Tesco Bank announces full service has resumed for customers

Tesco Bank today confirmed normal service has resumed following the temporary suspension of online transactions from current accounts.

The Bank also confirmed that personal data was not compromised as a result of fraud that took place over the weekend of 5-6 November and that online transactions had been suspended to prevent criminal activity.

Tesco Bank CEO, Benny Higgins commented:

“Our first priority throughout this incident has been protecting and looking after our customers and we’d again like to apologise for the worry and inconvenience this issue has caused.

“We’ve now refunded all customer accounts affected by fraud and lifted the suspension of online debit transactions so that customers can use their accounts as normal.  We’d also like to reassure our customers that none of their personal data has been compromised.”

Tesco Bank has now confirmed around 9,000 customers were affected by these fraudulent transactions and all customers affected were fully reimbursed by the evening of Tuesday 8 November. The total cost of refunding these customers is estimated to be £2.5 million.

Tesco Bank confirmed it is continuing to work closely with the authorities and regulators in their criminal investigation of this incident.

Notes to editors

  1. Tesco Bank has 7.8 million customer accounts across the UK. 136,000 customers hold current accounts with the Bank, of these 9,000 were identified as being victims of fraud.
  1. Although services such as mobile banking, cash withdrawals, chip and pin payments, existing bill payments and direct debits have continued as normal throughout this incident, Tesco Bank suspended online debit transactions as a precautionary measure on Monday 7 November. This suspension has now been lifted and normal service was resumed for customers on Tuesday 8 November.


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.