The fine details are still murky, but news surfaced in the last day or two that Tesco Bank, a U.K.-based bank owned by the Tesco supermarket chain, suffered some sort of widespread fraud.
The bank’s CEO, Benny Higgins, told Radio 4 that around 40,000 of the bank’s 7 million accounts had seen “some sort of suspicious transactions.” Of those, around 20,000 customers have actually lost money from their bank accounts. In the interview, the CEO told the BBC he was “very hopeful” that customers would be refunded the lost funds. What he didn’t say is that I am sure he is also “very hopeful” that once this all washes up he and his IT team will still have jobs.
Customers have, at this stage, been blocked from making online transactions, suggesting that the fraud is related to online functionality. Transfers between accounts and to other account holders are still being actioned, however. Banking security experts seem to be unanimous that both in terms of the scale of the breach, and the depth of it, this is an unprecedented event.
Customers who have been impacted by the losses received text notifications and, as would be expected, the U.K. media is full of emotional stories of customers unable to pay for their groceries, gasoline or heating fuel. But while the human aspect is important and very troubling, there is, of course, an IT aspect to this that is particularly interesting.
Bank was running a system from a newer banking technology vendor
Interestingly Tesco Bank reinvented its core banking technology a few years ago, moving away from a big legacy solution and instead investing in a core banking system from FiServ, a newer banking technology vendor. I’ve long been a critic of banks that stick to big old (often mainframe-based) solutions and have pointed out that these systems severely limit banks’ ability to innovate and gain agility.
I’ve been a proponent of “decoupling” banking systems and discussed the topic at length with Dawie Oliver, CIO of Westpac Bank. Of course, we don’t yet know for sure that the issue lies with FiServ or any parts of Tesco Bank’s core systems, but the sheer scale of this breach would suggest that it does. We also, it must be said, can’t rule out nefarious insider activity, although in fairness, fraud detection systems should be able to identify both inside and external attack vectors.
Ilia Kolochenko, CEO of web security company, High-Tech Bridge, commented: “The situation is not clear yet, and it’s too early to make any conclusions about the origins and the source of the breach. In the past, similar incidents involved many different approaches: from e-banking system compromise to targeted spear-phishing and social engineering campaigns aimed at infecting bank clients’ machines or mobile devices with sophisticated malware, stealing money from their accounts. A massive skimming campaign cannot be excluded either.
Kolochenko adds some color, saying:
“It is important to highlight that such a large-scale attack with important financial losses would hardly be possible without some insider help to the attackers. Banking system, compliance processes and fraud-prevention systems are usually bank-specific, and in order to bypass them (we can speak about successful bypass, as so many people have already lost their money) we need to have some insider knowledge. Nevertheless, we need to wait for the official investigation results before making any conclusions.”
I’ll continue to watch this developing story. Meanwhile, at least Tesco Bank’s ownership status means that its IT team have a good source of over-the-counter pain medication. Something tells me they’ll need it.
This article is published as part of the IDG Contributor Network. Want to Join?