Customers at U.K.-based Tesco Bank may have made history last weekend, but not for the reasons one might have imagined.
This after 20,000 Tesco Bank clients were victimized by cyber-thieves who breached the bank's security firewall, and withdrew money directly from client accounts.
The hackers' "systematic, sophisticated attack" differs from most data breaches in that the cyber-thieves eschewed traditional theft targets like driver's licenses or credit card numbers. Instead, they figured out a way to access customer bank accounts directly, just as easily as they had a customer's ATM card of their own.
The cyber-attack occurred over the weekend, with 40,000 Tesco bank accounts breached, and 20,000 accounts having cash taken out by cyber-hackers.
On November 6, Benny Higgins, CEO at Tesco Bank, issued an alert to the financial institution's 137,000 customers that the bank would stop online transactions from current accounts and that debit transactions would not be available. Cash withdrawal and payment with chip and PIN cards would still be possible. Higgins also said the bank would refund any money lost to customers due to the security breach by November 7.
Cyber security experts call the Tesco breach unprecedented, but not necessarily surprising.
"I've not heard of an attack of this nature and scale on a U.K. bank where it appears that the bank's central system is the target," notes Alan Woodward, a security consultant, with experience working for Europol."
The real threat is that now, apparently, cyber-criminals are targeting bank customer accounts directly, experts say.
"It's extremely unusual to see an attack of this scale directly on consumer bank accounts," says Tim Erlin, Senior Director of IT Security and Risk Strategy for Tripwire, a security services firm based in Portland, Ore.
Erlin says he wouldn't expect Tesco or law enforcement authorities to understand exactly how this attack has been carried out for quite some time. "It's clear the criminals responsible have executed a well-planned and coordinated attack," he says. "The complexity of the systems involved will make it challenging to unravel exactly what has happened here."
Tom Kellermann, CEO of Strategic Cyber Ventures, a cyber security technology company, views the Tesco breach as a landmark data security incident, with far-reaching implications.
"This breach serves as a canary in the coal mine," Kellerman says. "It highlights the failure of current bank cybersecurity standards."
Kellerman views the Tesco breach as unsurprising, given that most financial institutions have underinvested in cybersecurity programs. "They are over-reliant on perimeter defenses which are being circumvented by organized cybercrime syndicates," he explains. "Greater investment must be made in technologies which monitor what occurs inside the vault. User behavior analytics and deception security technologies can greatly enhance the safety and soundness of our banks."
Kellerman also says that hackers could easily replicate the attack against U.S, banks. "Some banks are better defended than others," he says.
To fight back, Kellerman advises U.S. banks to wake up and recognize the threat they're facing - and beef up security defenses significantly.
"The security standards for banks must be modernized as right now, those standards are inadequate in thwarting the modern Dillinger gangs," he says.
The same goes for banking consumers. "U.S. banking customers should update all their software every Tuesday, use Firefox as a browser; use anti-virus software, change their password to pass phrases with numbers and never use public Wifi or respond to an email from their bank asking for their information," he adds.
Other cyber-security gurus say it's frustrating banks haven't done more to prevent what security professionals have been predicting for years.
"Absolutely, hackers could do the same thing to U.S. banks," says Michel Benaroch professor of management information systems, at Syracuse University. "There is nothing unique that U.S. banks are doing that would make them immune to similar hacks. The technology and information technology management issues at the core of such hacking incidents are the same across most banks. In fact, we know of enough instances where hackers penetrated U.S. banks systems and stole confidential customer data. The distance from there to actually manipulating customer accounts is not that big."
There is, however, a strong measure of comfort for financial consumers.
Anna Chernobai, an assistant professor of finance at Syracuse University, says U.S. banking customers shouldn't "panic" after hearing about the Tesco breach.
"It's scary to think that hackers might end up with money you have deposited in a bank," Chernobai says. "The good news is that technology systems offer audit trails that banks can use to trace data breaches and the customer accounts that have been effected."
"In the end, the probability of your individual personal account holdings being affected by hackers is still extremely low, almost negligible in practical terms."
Maybe so, but tell that to 20,000 Tesco customers - who have to wonder whether or not their bank accounts will ever be safe again.