Research

Tesco Bank Attack

Written by Reflare Research Team | Nov 9, 2016 12:34:00 PM

The financial strain from large-scale cyber attacks can be huge, which is why banks are investing heavily in cyber security. The UK financial institution Tesco Bank was hit by a large coordinated cyber attack just days after one of its main rivals, Barclays experienced a similar attack.

First Published 9th November 2016

The 'Tesco Finest' range does not apparently extend to its security. 

4 min read  |  Reflare Research Team

Over the weekend, UK financial institution Tesco Bank was hit by a large coordinated cyber attack. While little is known about the details of the attack, the case highlights several important security issues facing small and medium banks today.

Let us first look at the raw numbers. According to Tesco Bank’s own most recent reports, 9,000 accounts have been affected and GBP 2.5m has been stolen. The funds have since been returned to their owners. Tesco Bank further claims to understand what happened without offering further details and had suspended online debit card payments for 48 hours.

While these numbers are low in comparison to other major hacks of recent months and years, it is important to note that Tesco Bank is a rather small institution with reportedly 136,000 accounts in total. Thus the 9,000 accounts affected represent 6.6% of its customer base. Earlier reports had placed the affected number of accounts closer to 30% of the total customer base.

Such a relatively large percentage of affected customers is likely to lead to a sharp erosion of customer trust and thereby to financial duress for the targeted organization. A larger bank with more accounts would face fewer negative consequences as a smaller part of its customer base would be affected.

While no details of the attack have yet been published, the disabling of debit card payment functionality specifically implies that either a large number of debit cards belonging to Tesco Bank customers have been sold on the black market or that a vulnerability existed in the payment system itself. Such vulnerabilities may include bypassing secondary card security features like 3D Secure or TANs or information leakage allowing the attackers to retrieve card data directly from the bank’s servers. In accordance with UK reporting guidelines for cyber crime, more details should become available in the coming days.

The attack highlights a major point of concern facing virtually all small and medium financial institutions today: With a tightly limited pool of IT security expertise available, it is hard for smaller banks to compete for talent. Since the work required to secure millions of accounts is not linearly larger than the work required to secure thousands, smaller banks have to use a larger portion of their overall budget to secure their infrastructure. Larger banks are thus able to afford better systems and also to offer higher wages and thus attract higher skilled personnel.

While a hack of millions of accounts may have a bigger payout, hacking a small bank such as Tesco Bank provides by far enough incentives to an attacker.

This issue will be partially mitigated as the field of IT Security matures and more talent becomes available. It is also likely that governments, banks and security panels will attempt to establish core policies or platforms in order to raise the security of banks in a given jurisdiction to a common level. Whether such attempts will be met with success is unclear at this point in time.

It is also important to note that while Tesco Bank is a minor player, Tesco itself is one of the UK’s largest retailers. The primary financial damage done during the attack may well be minor in comparison to the damage done to the overall Tesco brand. Similar patterns of security breaches in relatively small group companies causing large damage to the overall brand have previously occurred. The case of Sony acquiring an overall reputation for weak security due to hacks into its Gaming and Movie subsidiaries is perhaps the most notable example.