Tesco Bank Attack
Over the weekend, UK financial institution Tesco Bank was hit by a large coordinated cyber attack. While little is known about the details of the attack, the case highlights several important security issues facing small and medium banks today.
Let us first look at the raw numbers. According to Tesco Bank’s own most recent reports, 9000 accounts have been affected and GBP 2.5m has been stolen. The funds have since been returned to their owners. Tesco Bank further claims to understand what happened without offering further details and had suspended online debit card payments for 48 hours.
While these numbers are low in comparison to other major hacks of recent months and years, it is important to note that Tesco Bank is a rather small institution with reportedly 136,000 accounts in total. Thus the 9000 accounts affected represent represent 6.6% of its customer base. Earlier reports had placed the affected number of accounts closer to 30% of the total customer base.
Such a relatively large percentage of affected customers is likely to lead to a sharp erosion of customer trust and thereby to financial duress for the targeted organization. A larger bank with more accounts would face less negative consequences as a smaller part of their customer base would be affected.
While no details of the attack have yet been published, the disabling of debit card payment functionality specifically implies that either a large number of debit cards belonging to Tesco Bank customers have been sold on the black market or that a vulnerability existed in the payment system itself. Such vulnerabilities may include bypassing secondary card security features like 3D Secure or TANs or information leakage allowing the attackers to retrieve card data directly from the bank’s servers. In accordance with UK reporting guidelines for cyber crime, more details should become available in the coming days.
The attack highlights a major point of concern facing virtually all small and medium financial institutions today: With a tightly limited pool of IT security expertise available, it is hard for smaller banks to compete for talent. Since the work required to secure millions of accounts is not linearly larger than the work required to secure thousands, smaller banks have to use a larger portion of their overall budget to secure their infrastructure. Larger banks are thus able to afford better systems and also to offer higher wages and thus attract higher skilled personnel.
While a hack of millions of accounts may have a bigger payout, hacking a small bank such as Tesco Bank provides by far enough incentives to an attacker.
This issue will be partially mitigated as the field of IT Security matures and more talent becomes available. It is also likely that governments, banks and security panels will attempt to establish core policies or platforms in order to raise the security of banks in a given jurisdiction to a common level. Wether such attempts will be met with success is unclear at this point in time.
It is also important to note that while Tesco Bank is a minor player, Tesco itself is one of the UK’s largest retailers. The primary financial damage done during the attack may well be minor in comparison to the damage done to the overall Tesco brand. Similar patterns of security breaches in relatively small group companies causing large damage to the overall brand have previously occurred. The case of Sony acquiring an overall reputation for weak security due to hacks into its Gaming and Movie subsidiaries is perhaps the most notable example.