November 9, 2016
The bank, whose operating income has accounted for as much as a quarter of Tesco’s total in some years, added that no customer data had been compromised.
The National Cyber Security Centre (NCSC), a new government body, said on Tuesday that it was working with criminal investigators and Tesco to understand the nature of an attack described as “unprecedented” by the financial regulator.
The NCSC and Britain’s National Crime Agency said they could not remember another confirmed case where thieves had stolen large sums of money via a mass hacking of accounts at a Western bank.
The bank has provided few details about what happened. It is not clear how online thieves broke into the bank, how they pulled out the funds or how much was stolen. It is also not clear if there are any suspects.
A spokeswoman for Tesco declined to comment beyond its previous statement on Monday.
Cyber experts said that smaller banks, like Tesco’s, are more vulnerable to attack than global financial institutions, which have bigger cyber security budgets.
JPMorgan (JPM.N), for example, has disclosed that it spends about $600 million on cyber security annually.
“Smaller and medium-sized companies may be more vulnerable, many of them have not invested properly in security measures and an incident like this should stimulate them to think again,” said Sergio Romanets, cyber security expert at consultant Greyspark Partners in London.
Cyber and IT security risks have received little coverage in Tesco Bank’s most recent annual report, according to a Reuters analysis, with just one mention – saying “of note is the industry-wide attention on cyber-crime”.
Rival J Sainsbury Plc’s (SBRY.L) bank unit and Metro Bank Plc (MTRO.L), two other smaller “challenger” banks in Britain, each mention cyber and information security at least three times in their most recent annual reports. By contrast, among the country’s biggest banks, Santander UK has at least 49 mentions, Barclays (BARC.L) at least 14 and Lloyds 32.