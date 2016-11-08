* 9,000 customers robbed in 'unprecedented' raid
* New cyber security body investigating nature of attack
* Money repaid as of 2200 GMT Tuesday
* Other small banks could also be vulnerable -experts
By Lawrence White and Tom Bergin
LONDON, Nov 8 Retailer Tesco Plc's banking arm
said on Tuesday that 2.5 million pounds ($3 million) had been
stolen from 9,000 customers over the weekend in what cyber
experts said was the first mass hacking of accounts at a western
bank.
Tesco Bank said it had resumed full service after the theft,
which forced the suspension of online transactions on Monday.
"We've now refunded all customer accounts affected by fraud
and lifted the suspension of online debit transactions so that
customers can use their accounts as normal," Tesco Bank CEO
Benny Higgins said in a statement.
The bank, whose operating income has accounted for as much
as a quarter of Tesco's total in some years, added that no
customer data had been compromised.
The National Cyber Security Centre (NCSC), a new government
body, said on Tuesday that it was working with criminal
investigators and Tesco to understand the nature of an attack
described as "unprecedented" by the financial regulator.
The NCSC and Britain's National Crime Agency said they could
not remember another confirmed case where thieves had stolen
large sums of money via a mass hacking of accounts at a Western
bank.
The bank has provided few details about what happened. It is
not clear how online thieves broke into the bank, how they
pulled out the funds or how much was stolen. It is also not
clear if there are any suspects.
A spokeswoman for Tesco declined to comment beyond its
previous statement on Monday.
SMALLER BANKS AT RISK
Cyber experts said that smaller banks, like Tesco's, are
more vulnerable to attack than global financial institutions,
which have bigger cyber security budgets.
JPMorgan, for example, has disclosed that it spends
about $600 million on cyber security annually.
"Smaller and medium-sized companies may be more vulnerable,
many of them have not invested properly in security measures and
an incident like this should stimulate them to think again,"
said Sergio Romanets, cyber security expert at consultant
Greyspark Partners in London.
Cyber and IT security risks have received little coverage in
Tesco Bank's most recent annual report, according to a Reuters
analysis, with just one mention - saying "of note is the
industry-wide attention on cyber-crime".
Rival J Sainsbury Plc's bank unit and Metro Bank
Plc, two other smaller "challenger" banks in Britain,
each mention cyber and information security at least three times
in their most recent annual reports. By contrast, among the
country's biggest banks, Santander UK has at least 49 mentions,
Barclays at least 14 and Lloyds 32.
Tesco Bank runs on separate IT systems from the group's
retail unit. The lender was originally set up as a joint venture
with Royal Bank of Scotland and Tesco Plc in 1997 before
becoming wholly owned by the retailer in 2008.
U.S. financial technology provider Fiserv provides
its online retail banking platform and its financial crime
prevention system, according to Fiserv's website.
"There is no indication that our software or services were
involved in the incident that Tesco Bank experienced over the
weekend. Nonetheless, we are offering our support in whatever
manner will be helpful to Tesco Bank," a spokeswoman for Fiserv
said in an emailed statement to Reuters.
Tesco Bank has spent 500 million pounds ($618.75
million)building up its technology platform over the past seven
years since the split with RBS, accounts show.
Britain's financial regulator sought to reassure the public
on Tuesday that financial authorities were working to understand
the nature of the attack.
On Monday, lawmaker Andrew Tyrie, chair of Parliament's
powerful finance committee, said both banks and regulators had
done too little to improve cyber security.
Reported attacks on financial institutions in Britain have
risen from just five in 2014 to more than 75 so far this year,
according to Financial Conduct Authority data, but bank
executives and providers of security systems say many attacks go
unreported.
($1 = 0.8081 pounds)
(Additional reporting by Andrew MacAskill, Jim Finkle and Eric
Auchard; Editing by Mark Potter, Pravin Char and Dan Grebler)