Hackers stole money from about 20,000 customers of a British bank over the weekend — an unprecedented strike that cybersecurity experts said should be a cautionary tale for bank account holders in the United States.
The yet-to-be-identified hackers hit roughly 40,000 accounts at Tesco Bank, which is owned by Tesco, Britain's largest retailer. Money was taken from approximately half those accounts, leading Tesco to shut down online banking Monday.
"We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank," the company said in a statement Monday. "This afternoon we began the process of refunding all customer current accounts that have been subjected to online criminal activity."
Cybersecurity experts said it appears that hackers executed a well-planned assault that enabled them to directly loot people's accounts, something that hadn't been done on a wide scale in Britain or the United States.
"This was a sophisticated and systematic attack, and it could have taken place anywhere," said Bruce Snell, cybersecurity and privacy director at Intel Security in Santa Clara. "This shows that banking systems are not necessarily impenetrable."
Full details of the heist weren't immediately available. But some elements were extremely likely, said Robert Anderson, a former FBI executive who handles information security for Chicago-based Navigant Consulting.
"This wasn't some lone wolf. It involved people who knew what they were doing," Anderson said. "It was a targeted attack, not just against the bank but maybe against the vendors who work for it."
Anderson said that the attack could have come through third-party vendors who make credit and debit cards or do processing. "The bad guys want the data they have, and they go after it," he said.
The weekend heist could have a ripple effect.
"Tesco customers did not just lose money, they lost confidence in the bank and access to their funds in an instant," said Stephen Holmes, a senior security executive at VirtusaPolaris, an information technology consulting firm in Westborough, Mass. "Banks not only need to have active cyber defenses but also procedures that enable customers to get back onto the banking system post-attack."
Mark Graff, an analyst who once served as chief information security officer for the Nasdaq stock exchange, urged consumers to not assume that only major banking chains are targeted.
"Small banks, credit unions and other financial institutions are almost always more vulnerable these days than the big ones," Graff said. "Their defensive tools tend to be incomplete and out of date, their budgets are often inadequate and the cyber talent they can afford and have access to is seldom of the top rank."
Snell said that the attack provides banks with a good opportunity "to explain what they're doing to make people's money safe. The breaches of companies like Target and Home Depot weren't as personal as something like this."
Syracuse University researchers Michel Benaroch and Anna Chernobai said bank account holders shouldn't panic.
"Although it is scary to think that hackers might end up with money you have deposited in a bank, the good news is that IT systems offer audit trails that banks can use to trace data breaches and the customer accounts that have been affected," the researchers said in an emailed statement. "In the end, the probability of your individual personal account holdings being affected by hackers is still extremely low, almost negligible in practical terms."
Darin Andersen, chairman of CyberTech, a San Diego-based cyber industry trade group, said the Tesco incident "is jarring, but people should not lose hope when it comes to this kind of thing."
"The key here is to arm yourself with the tactics and techniques needed for good cyber hygiene," Andersen said. "Use good password protocols and train your family and businesspeople to support and adapt the latest, great technology that will thwart these kind of attacks."
Tyler Leet, a security executive at Computer Services in Paducah, Ky., gave similar advice.
"Inform yourself of the basics of personal cybersecurity and regularly monitor your accounts," said Leet, adding that people should set up automated alerts whenever possible.
"Also, conduct due diligence when selecting a financial institution," he said. "Try to gauge how seriously they take security and their level of 'cyber resilience.' Granted, most people are not security experts, but if you take a little time to better educate yourself on the risks and then ask the right questions, often you'll see if an institution begins to squirm and/or doesn't have good information and answers concerning those topics readily available."