As I See It
Tesco Bank attack: now it’s getting personal
Bank robberies used to involve masked men in stripey jumpers leaping into getaway cars. No longer. They may still be concealing their identity, but they can now organise a raid without going anywhere near a bank.
The theft by hackers from what was later revised from 20,000 to 9,000 customer accounts at Tesco Bank had no eye witnesses, but it was just as audacious as any sneaky attempt at dynamiting the vaults.
This is the latest cyberattack on a large company, a phenomenon once thought to be a threat to the few which is now becoming an every day occurrence to many firms, large and small.
Hackers who may be working from a laptop in the comfort of their own home, or a workshop in the middle of a crowded Asian city, are now toying with the world’s big hitters, testing the robustness of their systems and their ability to defend their companies.
Already we have seen the devastating effect on telecoms company TalkTalk, the mobile company Vodafone, business software provider Sage, and the electronic goods retailer Dixons Carphone.
HSBC apologised to customers earlier this year after its UK personal banking websites were shut down by a “distributed denial of service” attack. But no customer funds were at threat during that breach.
The raid on Tesco Bank represents a new and more worrying phase. Where others suffered breaches of personal information, the Tesco hackers were able to steal money from customer accounts.
This is now getting personal. A hack attack is no longer restricted to disruptive mischief causing problems for big companies. When customers’ see their money being stolen it is very much a crisis for them, too.
As one security expert stated: “You feel violated. It’s very similar to having your house broken into.”
It is somewhat ironic that the victim this time is one of the so-called challenger banks which were meant to provide an alternative to the risks associated with the established banks.
Attempts at finding out how the attack was conducted have pointed at malicious software or skimming devices which steal data from cards. This will become clearer in the coming days.
One issue that Tesco does share with previous victims is the damage this does to its reputation and the confidence of customers. If there is no trust in the bank to safeguard funds then it could suffer significantly and quickly.
This will require a huge campaign to reassure all those with a stake in the bank that it can compensate all those affected and that it can build new safeguards to prevent a repeat attack from succeeding.
It represents a new challenge for Tesco group chief executive Dave Lewis who, only last week, was basking in signs of his turnaround strategy beginning to work.
The bank represents only a small proportion of group turnover. Even so, the board took the ambitious decision to buy-out RBS’s stake and then provide the capital to back its venture into mortgages and current accounts as it sought to become what its CEO Benny Higgins described as a proper clearing bank.
There was talk of it being divested, possibly floated on the stock market to raise more capital. This incident is likely to park any such thoughts for some time.
If this attack proves anything it is that no one is immune from attack and that it is incumbent on all businesses to take whatever security measures are necessary to ensure those risks are minimised.