What went wrong at Tesco Bank?
Internal systems blamed for monster cyber-attack
Tesco Bank has enlisted the help of the National Cyber Security Centre (NCSC) following the most serious cyber-attack launched against a UK bank.
The attack against the supermarket giant's banking arm involved the theft of £2.5m from 9,000 customers' accounts, funds that the bank quickly reimbursed. Initially theft against 20,000 accounts was feared but this figure was revised downwards late on Tuesday night.
At the same time Tesco announced that it was restoring normal service. The company had suspended online and contactless transactions from current accounts in the immediate wake of the breach last weekend.
Tesco Bank manages around 136,000 current accounts. Security pundits have variously blamed credential stuffing, an inside job, and exploitation of a third-party supplier retail partner for the breach.
NCSC is working alongside the National Crime Agency to look into the cyber-attack, which is believed to be the biggest of its kind in the history of British banking.
Ian Mann, chief exec of cyber-security service ECSC, said the size of the breach indicates that is it likely that either Tesco's internal systems, or its mobile application, have been hacked.
Tesco Bank's method of access for customers is "weak for this type of system", according to Mann. "Username is your email by default, and you only need digits from a numeric PIN. By requiring limited digits from the PIN on login, they make it virtually impossible to hash (encrypt) the PINs they have stored. This means a compromise of their customer database will reveal all logins and passwords to the attacker."
Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, said: "While the details are still patchy, there's no doubt that this was a hugely sophisticated, coordinated and advanced attack – and as recent months have proven, no organisation is immune from similar attacks going forward. With cloud computing, hackers have so many more points of entry, and organisations need to put security in place to guarantee the safety of data, even if it falls into the wrong hands. In practice, this means putting multiple layers of control around their most sensitive data and closely monitoring access to stop theft on the way out rather than betting on the 'hard shell' approach with a sealed perimeter."
Tesco might face a huge fine under the recently revamped EU data protection rules over the breach, according to Hawthorn.
"When it comes to data security, the silent spectre of EU General Data Protection Regulation is slowly kicking organisations into action, and incidents such as this will only accelerate this trend," Hawthorn said. "One estimate is that Tesco Bank could be fined nearly £2bn under GDPR rules for this incident. The bottom line is that data security is no longer simply an issue for the IT department to tackle, and organisations can no longer sit back and ignore it. The stakes are higher than they have ever been, so when it comes to reviewing your security position, tomorrow may just be too late." ®
Sponsored: Becoming a Pragmatic Security Leader