Tesco Bank blocks online spending as thieves penetrate 40,000 accounts

‘Serious vulnerability’ to blame for theft of 20,000 accounts, says expert

Tesco has blocked internet purchases on all 136,000 debit cards issued by its banking division after one of the largest cyber bank robberies in UK history.

Benny Higgins, chief executive of Tesco Bank, said 40,000 accounts had been targeted, with cash stolen from about half of the compromised accounts. ­Several customers told the Financial Times they had lost £1,000 or more, with reports suggesting others had ­suffered smaller losses.

Mr Higgins declined to say how much money had been taken: “We apologise for the worry and inconvenience that this has caused for customers and can only stress that we are taking every step to protect our customers’ accounts.”

The bank said last night it had started refunding customers and would have paid everyone back by the end of today.

The National Crime Agency, which handles serious crime cases, including cyber security, said it had been notified and was leading an investigation.

The NCA’s initial working theory is that the ­incident originated from an organised-criminal syndicate rather than state-sponsored actors or hack­tivists, according to one person briefed on the investigation.

While other banks, including the US’s JPMorgan Chase, have reported hacks that involved theft of customer details, few have involved theft of cash from a large number of accounts.

Graham Cluley, an independent computer security expert, said the “sheer number of accounts which have had money drawn from them” suggested “the problem was really at Tesco’s end”.

The Financial Conduct Authority, the financial watchdog, requires banks to refund unauthorised payments immediately, unless there is evidence that the customer is at fault or waited more than 13 months to inform the bank about the questionable charge. It said it was working with Tesco Bank to resolve the issue.

The attack is a setback for Tesco Bank, which began as a joint venture with Royal Bank of Scotland in 1997 and has, in recent years, looked to become a fully functioning bank to challenge the established high street lenders.

Tesco Bank said it had stopped online transactions from all current accounts but was “working hard to resume normal service”. Customers will still be able to use their cards for cash withdrawals, chip and pin payments and existing bill payments and direct debits.