How long must we wait for Tesco to reveal cyber-heist attack data?

News by Davey Winder

The Tesco Bank cyber-heist was Britain's biggest attack to date but the information on how the attack was perpetrated is not being shared with those who need to know, reports Davey Winder.

Tesco Bank has been robbed. That much we know, along with some 9000 current account holders who lost an average of £250 each if the £2.5m total loss figure is an accurate one. Tesco Bank itself knows the exact numbers, and CEO Benny Higgins says he knows the precise attack mechanism as well.

He's not telling us, though, or anyone for that matter. It's far too early in the criminal investigation of what is looking like being the biggest British bank robbery since such things went cyber.

Eventually, of course, the details will come out, but not in time for the so-called ‘challenger banks' for whom time really is of the essence. They have no time at all in which to pull the proverbial finger out and collectively ensure their security houses are in order.

So, what needs to be done in terms of assessing defence infrastructures? Although we don't yet know who was behind the Tesco Bank robbery, or details of the how the attack was carried out, we do know what needs to be done by other ‘challenger' banks by way of reviewing attack vectors.

“The key here for challenger banks is to ensure that they are protecting their core systems with good tradecraft and an integrated approach to security,” John Madelin, CEO at RelianceACSN told “Challenger banks should equip security teams with tools that can detect a compromise in real time, and ensure they have 24/7 coverage.”

Andersen Cheng, CEO at Post-Quantum, pointed out that “many challenger banks have launched solely online and to offer simple to setup and login features, often trading off security against usability.” Whilst traditional banks are slow to innovate, the good ones still have both physical and virtual security in place to guard against their most precious data.

“Virtually all the challenger banks' hosting is outsourced to third-party cloud providers,” Cheng warns, “and some of the banks' security operations have less than ten staff which also poses a potential threat due to the lack of segregation of duties.”

Bogdan Botezatu, senior e-threat analyst at Bitdefender, told SC that cyber-security awareness amongst board members and stakeholders is vital, as security budgets often rely on their support. “Detailed and constantly updated security reports,” Botezatu says, “should be assessed and evaluated by board members, CISOs and CIOs.”  

The takeaway to all this is that banks should constantly test their infrastructures for security issues and vulnerabilities, as to constantly be prepared for any types of attacks.

“I anticipate that the big four UK banks will take similar steps to the online challenger banks to strengthen their cyber-security posture,” Michael Fimin, CEO of Netwrix, told SC. “They will revise their security policies and set up advanced monitoring systems to spot unauthorised activities, while also training staff to react quickly and fix problems before they inflict serious harm.”

The main difference will probably end up being that smaller challenger banks will be fighting harder to regain client loyalty. Certainly, the challenger banks are more exposed to financial and reputational risk, what with not being as well-established as the big four.

Cyber-criminals often target smaller organisations, including smaller banks, as they will have fewer resources to fight back with. “Breaking into a financial institution is about finding just one specific, often small vulnerability,” Pascal Geenens, a security evangelist at Radware reminds us, “whereas protecting the organisation is about covering all potential threats.”

The odds are stacked on one side of the fence, and it isn't on the defensive side.

So, will Tesco Bank be sharing attack data with others in the financial sector, or will they be equally in the dark during this phase of the criminal investigation? Most of the attack data will likely be treated as TLP Red (‘Traffic Light Protocol' and for named individuals only) until the process is better understood, and the National Crime Agency investigation has progressed somewhat.

“As information becomes available, however,” said Richard Betts, EMEA business development at Anomali. “It will be shared across peers through organisations like the Financial Services – Information Sharing & Analysis Centre (FS-ISAC.)”

Of course, both deep and dark web providers will also hear chatter and conversations between threat actors on the attack. “Most of this will be conjecture,” Betts suggests, “until Tesco is ready to share information with the wider industry.”

That said, it's a given that both Tesco and the NCA will be doing their absolute best to get relevant information to other banking organisations as expeditiously as possible.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews