Expert comment on the cyberattack at Tesco Bank: Quick investigation of a million theft?

Vienna, 14th of November 2016. 9,000 customers of Tesco Bank in the UK were missing more than 3 million Euros on their accounts just a few days ago. Online banking was therefore briefly suspended. Within a short period of time the bank reimbursed its affected customers. The already known facts about the cyber attack point to various potential backgrounds.

What happened
It’s the first time that in case of a cyberattack money of an online bank was directly stolen from customer accounts. At first it was rumoured that 20,000 customers were affected, but in the meantime the stipulated number is about 9,000.

The potential backgrounds of the cyber attack

“It is striking that the bank reimbursed its customers within this short time span and so quickly turned to “business as usual”. Customers were also not asked to change their passwords due to this incident”, comments Christian Polster, Chief Strategy Officer of RadarServices, a provider of continuos IT Security Monitoring. “Generally speaking in the course of such a huge cyber attack the affected company can only find out what happened in detail and know if the danger is averted if thorough investigations are carried out. The executive board of Tesco Bank, however, already reported that it is clear to them what happenend”, according to Polster.

Such a quick investigation of the case points to two potential backgrounds which probably do not have their origin in technical IT security deficiencies of Tesco Bank: An “Insider Threat”, meaning an attack in which employees were involved. They could have logged in with an administrator access and arranged these transactions within the corporate network. Or the other option: The bank itself is not the victim in this cyberattack but one of its service providers is.

Less probable is the option that the security mechanisms of Tesco Bank were compromised. Most likely the problem of customer authentification is the case. For example an error in the allocation of “One-Time passwords” that are required for financial transactions could lead to the fact that this security level is overridden. Personal passwords of the customers which constitute the second security level could have been collected by the attackers via phising or dictionary attacks or figured out via database copies. This option, however, should have prompted the bank to ask its customers to change their passwords.

Integral security concepts required
The technical IT security is one thing. State-of-the-art is the proactive tracking of security vulnerabilities and the real-time detection of attacks on the IT. This continuos IT Security Monitoring comprises three areas: A constant monitoring of all gateways for malware and all communication channels across corporate boundaries, a continuos internal as well as external vulnerability analysis and an ongoing analysis and correlation of logs of individual systems.

“Important, however, is that IT security is also considered from a holistic point of view. How does the security culture of the company look like? How high are the standards of the suppliers? Everything has to be checked in regular intervals, evaluated by experts and if necessary improvement measures need to be taken”, according to Polster.

This is further enforced by threathening reputation damages caused by IT security incidents such as in the case of Tesco Bank as well as by future fines which will be imposed by the EU data protection regulation on companies. Starting 2018 in case of cyber attacks fines up to 4% of the annual turnover of the entire corporation are possible. In the case of Tesco Bank this sum would amount – based on the Tesco group’s turnover of 56 billion EUR – to 2.2 billion EUR.