Anatomy of a Breach

Anatomy of a Breach: Tesco Bank — £2.5 Million Stolen from 9,000 Customer Accounts in a Weekend Attack

> series: anatomy_of_a_breach —— part: 095 —— target: tesco_bank —— stolen: £2,500,000 —— accounts: 9,000 —— fca_fine: £16,400,000<span class="cursor-blink">_</span>_

Hedgehog Security 30 November 2016 13 min read
data-breach tesco-bank uk-breach financial-fraud fca-fine debit-cards banking series
Breach #095

9,000 accounts drained. £2.5 million stolen. Online banking suspended for 136,000 customers.

On the weekend of 5-6 November 2016, Tesco Bank detected a wave of suspicious transactions affecting its current account customers. Approximately 9,000 accounts were targeted, with around £2.5 million successfully stolen through fraudulent debit card transactions. Tesco Bank took the unprecedented step of suspending all online card transactions for its 136,000 current account holders — the first time a UK bank had been forced to halt online transactions due to a cyber attack.

The FCA's investigation revealed that attackers had exploited weaknesses in Tesco Bank's design of its debit card system, including the algorithm used to generate card numbers and the authentication controls on card transactions. The FCA fined Tesco Bank £16.4 million — finding that the bank had failed to exercise due skill, care, and diligence in protecting its personal current account holders from a 'largely avoidable' attack. Tesco Bank refunded all affected customers in full.

The UK Banking Wake-Up Call
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

The first mass fraud against UK current accounts.

Previous major payment fraud events in the UK — and internationally — had targeted payment processors, retailers, and credit card systems. The Tesco Bank attack was different: it targeted current account debit cards directly, draining money from customers' bank accounts rather than compromising cards at the point of sale. For UK consumers, the attack struck at the heart of banking trust — the expectation that money in a current account is safe.

Card System Design Weaknesses
The FCA found that Tesco Bank's debit card system had design weaknesses — including how card numbers were generated and how transactions were authenticated. These are the types of systemic design flaws that our <a href="/penetration-testing/pci-dss">PCI DSS penetration testing</a> and <a href="/penetration-testing/web-application">application testing</a> are designed to identify before attackers exploit them.
£16.4 Million FCA Fine
The FCA's £16.4 million fine — for a 'largely avoidable' attack — sent a clear message to UK financial services: regulators will impose significant penalties for security failures that harm customers. Combined with the <a href="/blog/anatomy-of-a-breach-zurich-insurance-uk">Zurich Insurance FSA fine</a> (2010), UK financial regulators have consistently demonstrated willingness to punish data security failures. Our <a href="/blog/sector-under-the-microscope-financial-services">financial services analysis</a> examines the regulatory landscape.
Online Banking Suspended
Tesco Bank's decision to halt all online card transactions for 136,000 customers was commercially devastating but operationally necessary. The ability to detect, contain, and respond to an active attack — including the decision to temporarily suspend services — requires tested incident response plans. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response planning and execution.
Weekend Timing — Again
The attack occurred over a weekend — the same timing pattern seen in the <a href="/blog/anatomy-of-a-breach-saudi-aramco-shamoon">Saudi Aramco Shamoon attack</a> (2012) and the <a href="/blog/anatomy-of-a-breach-bangladesh-bank-swift">Bangladesh Bank heist</a> (2016). <a href="https://www.socinabox.co.uk/sectors/ifas-wealth-managers">SOC in a Box for Financial Services</a> provides 24/7/365 monitoring that covers weekends and bank holidays.
UK Financial Services Security

The FCA expects due skill, care, and diligence. Can you demonstrate it?

The Tesco Bank fine established that the FCA considers cyber security failures to be failures of 'due skill, care and diligence' — the same standard applied to other operational failures. For FCA-regulated firms, this means that cyber security is not an IT issue but a regulatory compliance obligation that the board must own.

Our PCI DSS penetration testing assesses payment card system security. Infrastructure testing validates fraud detection and transaction monitoring controls. Cyber Essentials certification provides evidence of baseline security. SOC in a Box for Financial Services provides the continuous monitoring the FCA expects. And UK Cyber Defence provides the incident response capability that turns an attack into a managed event rather than a £16.4 million fine.

UK Banking Security

The FCA fined Tesco Bank £16.4 million for a 'largely avoidable' attack. Is yours avoidable?

Our <a href="/penetration-testing/pci-dss">PCI DSS testing</a> assesses payment system security. <a href="/cyber-essentials">Cyber Essentials</a> certifies baseline controls. <a href="https://www.socinabox.co.uk/sectors/ifas-wealth-managers">SOC in a Box</a> monitors 24/7.

Commission a Financial Services Assessment Next: 2016 Year in Review
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 June 2020

Anatomy of a Breach: Blackbaud — The Charity Software Vendor That Exposed UK Universities, NHS Trusts, and Charities

Breach #138. In July 2020, Blackbaud — a cloud computing provider serving nonprofits, charities, and educational institutions — disclosed that ransomware attackers had accessed and exfiltrated customer data before the company detected and stopped the attack. Blackbaud controversially paid the ransom and stated it had received 'confirmation' the data had been destroyed. The breach affected hundreds of organisations worldwide — including UK institutions such as the National Trust, the University of Birmingham, De Montfort University, Young Minds charity, and multiple NHS trusts. Blackbaud later admitted that the breach was more extensive than initially disclosed.

data-breach blackbaud
13 min read
Anatomy of a Breach 31 May 2020

Anatomy of a Breach: EasyJet — 9 Million Customers and 2,208 Credit Cards Exposed

Breach #137. In May 2020, EasyJet disclosed that the personal data of approximately 9 million customers — including email addresses and travel details — had been accessed in a cyber attack, along with the credit card details of 2,208 customers. The attack, described by EasyJet as a 'highly sophisticated' intrusion, had been discovered in January 2020. The breach came during the COVID-19 pandemic, when airlines were already under severe financial stress, and resulted in a £15,000 class action claim per affected customer being filed. For the UK's largest budget airline, the breach added cybersecurity liability to an already existential business crisis.

data-breach easyjet
12 min read
Anatomy of a Breach 31 December 2016

Anatomy of a Breach: 2016 Year in Review — The Year of Billions, Botnets, and Election Interference

Breach #096 and the 2016 finale. The year Yahoo disclosed not one but two mega-breaches (500 million in September, then 1 BILLION in December — later revised to all 3 billion accounts), Adult Friend Finder lost 412 million accounts, the Mirai botnet used IoT devices to take down half the internet, Russia hacked the DNC to influence a presidential election, the Shadow Brokers stole the NSA's cyber weapons, the Bangladesh Bank lost $81 million through SWIFT, and a hospital paid Bitcoin ransom to get its systems back. The year the scale of cyber threats broke through every previous ceiling.

data-breach year-in-review
14 min read
All Posts Get in Touch