Tesco Bank has confirmed that over the weekend, some of its customers' accounts were subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently. News reports in the U.K. said 40,000 accounts had been affected and amounts of up to 2,000 pounds had been stolen.
The Edinburgh-based bank has temporarily blocked online banking transactions, though customers can still use cards to withdraw cash, make chip-and-PIN payments, and handle bill payments and direct debits.
"We apologise for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers' accounts," Chief Executive Benny Higgins said in a statement posted on Tesco's website. The bank was working to resume normal service as soon as possible, he said.
The attack is especially noteworthy in that it strongly suggests a hack into, or an insider's exploitation of, the bank's own online banking system. Most online banking attacks, at least publicly acknowledged ones, have involved fraudsters stealing users' user names and passwords to impersonate them, not actual break-ins into banks' core systems.
"It's extremely unusual to see an attack of this scale directly on consumer bank accounts," said Tim Erlin, senior director of IT security and risk strategy for Tripwire. "I wouldn't expect Tesco or law enforcement authorities to understand exactly how this attack has been carried out for quite some time. It's clear that the criminals responsible have executed a well-planned and coordinated attack. The complexity of the systems involved will make it challenging to unravel exactly what has happened here."