Cyber Incident Victim: Tesco Bank
Date:
Nov 2016
Location:
United Kingdom
Summary
Tesco Bank experienced a systematic, sophisticated cyberattack that compromised approximately 9,000 customer accounts, leading to unauthorized withdrawals totaling £2.5 million, which the institution fully refunded. The bank temporarily suspended online debit transactions to mitigate further criminal activity, assuring customers that no personal data was breached during the incident. A criminal investigation led by the National Crime Agency was initiated, while regulatory authorities highlighted broader concerns about vulnerabilities in complex banking IT systems enabling such attacks. The CEO publicly apologized for the disruption and confirmed the attack's containment.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In November 2016, Tesco Bank experienced a cybersecurity incident affecting its current account customers. The attack occurred over a weekend, prompting the bank to temporarily suspend online debit transactions on Sunday to prevent further criminal activity. Initial reports suggested 20,000 customers might have been impacted, but subsequent investigation confirmed that 9,000 customers had funds stolen from their accounts. The bank characterized the breach as "a systematic, sophisticated attack" but did not disclose technical details about the intrusion methods or attacker origins. Tesco Bank CEO Benny Higgins publicly apologized for the inconvenience and confirmed all 9,000 affected customers received full refunds totaling £2.5 million within days of the incident. The bank emphasized that no personal customer data was compromised during the attack. Following refund completions, Tesco Bank restored full online debit transaction capabilities, allowing customers to resume normal account usage.
The National Crime Agency (NCA) assumed leadership of the criminal investigation, though no suspects or attribution details were released publicly. Tesco Bank executives declined to elaborate on the attack's specifics, citing the ongoing law enforcement investigation. Financial Conduct Authority (FCA) CEO Andrew Bailey expressed concern about the incident's implications for banking sector vulnerabilities, noting that complex IT systems in banks create multiple potential entry points for attackers. Regulatory requirements compelled Tesco Bank to refund unauthorized payments immediately under UK fraud compensation rules, which mandate reimbursement unless customers are proven negligent or claims exceed 13 months. The incident marked the first major cyberattack on Tesco Bank since its 2008 establishment as a wholly owned subsidiary of Tesco plc, originally formed through a joint venture with Royal Bank of Scotland. No additional customer impacts or follow-up attacks were reported following the containment measures and transaction suspension.