Tesco Bank has blocked online transactions after tens of thousands of customers accounts were hit by suspicious transactions over the weekend.
The bank on Monday posted a notice on its homepage explaining it had halted online transactions for all current account customers after customers lost funds over the weekend due to “online criminal activity”.
Tesco Bank customers can still access online banking accounts, for example to view funds, use their cards to make cash withdrawals, and pay for goods at the cash register using chip and PIN. However, they cannot use contactless payments at the register or make online debit transactions until the bank investigates the incident. The bank is planning to re-issue cards to affected customers and on Monday started refunding customer accounts.
“We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank, and we are working to refund accounts that have been subject to fraud as soon as possible,” Tesco Bank CEO Benny Higgins said on Monday.
Higgins told the BBC that the bank detected suspicious transactions affecting 40,000 accounts and that money was taken from about half of them. The bank has about seven million customer accounts. BBC reports customers losing amounts of below £1,000.
It’s not clear from Tesco’s statement what’s behind the fraud affecting Tesco Bank customers. The bank has not said it was hacked.
However, cyber attacks on UK’s finance sector organizations are on the rise. A senior officer from the UK Financial Conduct Authority in September revealed that the number of reported attacks on UK financial institutions rose from just five in 2014 to 75 in 2016. The FCA, which regulates 56,000 financial firms in the UK, was moving to identify which firms would pose the biggest risk if an attack knocked out services or compromised the integrity of data.
The UK National Crime Agency said it was coordinating a law enforcement response to the attack and warned customers to now be wary of email and text phishing, as well as any calls scouting for personal information, banking details or passwords. Last year it said UK consumers lost £20m to banking malware, such as Dridex.
It’s the second serious cyber attack in as many weeks on organizations that fall within the UK's definition of critical infrastructure. A malware attack on the Northern Lincolnshire and Goole (NLAG) NHS Foundation Trust and United Lincolnshire Hospitals Trust last week forced the cancellation of some operations.