Tesco Bank facing probe over claims it ignored Visa hacker warning

A probe has been launched into Edinburgh-based Tesco Bank over whether it failed to heed warnings of a security flaw in its payment systems prior to them being targeted by hackers who made off with millions of pounds worth of customer deposits.

According to reports, authorities believe that the challenger bank, which employs most of its 4,000-strong workforce in Edinburgh and Glasgow, may have failed to act on a warning from Visa, issued out a year ago.

The attack at the start of November saw £2.5 million stolen from 9,000 customer accounts.



Investigators at the National Crime Agency (NCA) and the Financial Conduct Authority (FCA) believe that the hackers used customised computers to leverage an alleged Code 91 glitch, which allowed them access to customers’ card data, The Times has reported.

Andrew Tyrie, chairman of the Treasury select committee has reportedly said that he and his committee are closely following the investigation.

The newspaper claims that this could result in regulatory action being taken against the bank, if any evidence of wrongdoing is uncovered.

“The recent lapse in security at Tesco Bank, which enabled criminals to directly access the money of thousands of customers, was unprecedented in its seriousness,” Mr Tyrie said, according to The Times report.

The allegations claim that Visa had reportedly warned banks about low-value transactions in particular. The firm had allegedly cautioned that cybercriminals could attempt to siphon off relatively small amounts from victims’ accounts, as a way to verify the validity of credentials, before launching a large-scale attack.

The Times cites three anonymous sources that claim that while most banks updated their systems; Tesco Bank ignored the warning.

If true, the allegation would mean the decision not to heed Visa’s alarm left Tesco Bank’s systems vulnerable to cyberattacks and now leave the lender open to penalties as well as a customer backlash.

Responding to the reports, an FCA spokesperson said: “We can confirm that earlier this month the FCA alongside other authorities and agencies communicated with banks to highlight certain concerns regarding debit card payments. We do this as part of our business practices when needed. Due to the ongoing criminal investigation, we can’t comment any further.”

“In general, the FCA requires banks to have systems and controls to counter the risk that they are misused for the purposes of financial crime risk of all types, including fraud, money laundering and data security breaches.

“A bank is required to refund all unauthorised transactions within 24 hours, providing that the transaction was not compromised by a customer or made over 13 months ago,” the spokesperson added.

A spokesman for Tesco Bank said: “We identified the fraud quickly and communicated immediately with our customers, the Financial Conduct Authority and National Crime Agency. This remains a criminal investigation. We refunded each customer account in full and have taken steps to help to reassure our customers that they can bank safely and securely at Tesco Bank. We have also confirmed directly with every customer affected that none of their customer data was lost or stolen.”

They added: “This incident has highlighted that all banks need to work together in the interests of all customers and the financial system.”

Share icon
Share this article: