LONDON (Reuters) - Retailer Tesco Plc’s banking arm said on Tuesday that 2.5 million pounds ($3 million) had been stolen from 9,000 customers over the weekend in what cyber experts said was the first mass hacking of accounts at a western bank.
Tesco Bank said it had resumed full service after the theft, which forced the suspension of online transactions on Monday.
“We’ve now refunded all customer accounts affected by fraud and lifted the suspension of online debit transactions so that customers can use their accounts as normal,” Tesco Bank CEO Benny Higgins said in a statement.
The bank, whose operating income has accounted for as much as a quarter of Tesco’s total in some years, added that no customer data had been compromised.
The National Cyber Security Centre (NCSC), a new government body, said on Tuesday that it was working with criminal investigators and Tesco to understand the nature of an attack described as “unprecedented” by the financial regulator.
The NCSC and Britain’s National Crime Agency said they could not remember another confirmed case where thieves had stolen large sums of money via a mass hacking of accounts at a Western bank.
The bank has provided few details about what happened. It is not clear how online thieves broke into the bank, how they pulled out the funds or how much was stolen. It is also not clear if there are any suspects.
A spokeswoman for Tesco declined to comment beyond its previous statement on Monday.
Cyber experts said that smaller banks, like Tesco’s, are more vulnerable to attack than global financial institutions, which have bigger cyber security budgets.
JPMorgan (JPM.N), for example, has disclosed that it spends about $600 million on cyber security annually.
“Smaller and medium-sized companies may be more vulnerable, many of them have not invested properly in security measures and an incident like this should stimulate them to think again,” said Sergio Romanets, cyber security expert at consultant Greyspark Partners in London.
Cyber and IT security risks have received little coverage in Tesco Bank’s most recent annual report, according to a Reuters analysis, with just one mention - saying “of note is the industry-wide attention on cyber-crime”.
Rival J Sainsbury Plc’s (SBRY.L) bank unit and Metro Bank Plc (MTRO.L), two other smaller “challenger” banks in Britain, each mention cyber and information security at least three times in their most recent annual reports. By contrast, among the country’s biggest banks, Santander UK has at least 49 mentions, Barclays (BARC.L) at least 14 and Lloyds 32.
Tesco Bank runs on separate IT systems from the group’s retail unit. The lender was originally set up as a joint venture with Royal Bank of Scotland and Tesco Plc in 1997 before becoming wholly owned by the retailer in 2008.
U.S. financial technology provider Fiserv (FISV.O) provides its online retail banking platform and its financial crime prevention system, according to Fiserv’s website.
“There is no indication that our software or services were involved in the incident that Tesco Bank experienced over the weekend. Nonetheless, we are offering our support in whatever manner will be helpful to Tesco Bank,” a spokeswoman for Fiserv said in an emailed statement to Reuters.
Tesco Bank has spent 500 million pounds ($618.75 million)building up its technology platform over the past seven years since the split with RBS, accounts show.
Britain’s financial regulator sought to reassure the public on Tuesday that financial authorities were working to understand the nature of the attack.
On Monday, lawmaker Andrew Tyrie, chair of Parliament’s powerful finance committee, said both banks and regulators had done too little to improve cyber security.
Reported attacks on financial institutions in Britain have risen from just five in 2014 to more than 75 so far this year, according to Financial Conduct Authority data, but bank executives and providers of security systems say many attacks go unreported.
($1 = 0.8081 pounds)
Additional reporting by Andrew MacAskill, Jim Finkle and Eric Auchard; Editing by Mark Potter, Pravin Char and Dan Grebler