igor - Fotolia
Cyber theft from 20,000 compromised Tesco Bank current accounts shows traditional approaches to security are not working and that companies are not taking the threat seriously enough, according to experts.
Tesco Bank halted online banking after 40,000 current accounts were compromised and half of those were hit by fraudulent transactions by hackers at the weekend
Tesco Bank’s chief executive Benny Higgins said the bank knows exactly what the attack was, calling it “systematic” and “sophisticated”, but gave no details as the matter is still part of a criminal investigation.
That investigation is being led by the UK’s National Crime Agency (NCA), while the Information Commissioner’s Office (ICO) is looking into whether the bank is doing enough to secure personal data.
Although the bank has promised to cover all losses, shares in Tesco dipped 1% amid predictions that the brand could be damaged by the security breach, according to the BBC.
The attack on Tesco Bank is the latest in a series of cyber attacks that shows that financial information is not being sufficiently protected by the traditional security measures which fail in the face of an ever-evolving threat, according to Andrew Tschonev, technical specialist at security firm Darktrace.
“With attackers targeting everyone and anyone, today’s businesses cannot safely assume that it won’t happen to them,” he said, underlining the need for the capability to respond to malicious activity before serious damage is done.
“Tesco Bank has a long road ahead establishing exactly what has happened, who has been affected and how they can recover, which is going to be a complex task. However, the consequent shake-up in their security team should help strengthen their defences for the future.
“Other businesses will have to echo such reform in their own security practices, if they want to avoid being next,” said Tschonev.
Cyber security a ‘business imperative’
The attack on Tesco Bank should finally be the tipping point for businesses to take cyber security as seriously as they should and to think of it as a business imperative rather than just an IT problem, said Adrian Davis, managing director for Europe, Middle East and Africa at (ISC)2, the world’s largest independent body of information security professionals.
However, he said he fears that will even this attack will go largely unheeded, even though it is a clear sign that business is losing control of risk.
“More than a year after TalkTalk dominated headlines in the UK for losing their customer records, we continue to see at least half a dozen headlines a week about new cyber security breaches,” said Davis.
“News of the latest breach comes from the financial sector, generally known to be leaders in this field, so clearly the business world has yet to treat the risks as seriously as they must,” he said.
Davis believes that despite growing awareness of the issues, business leaders are losing control and visibility of core business risk.
“They have not realised just how much their organisations have changed in the digital age, and how this is leaving them vulnerable. They have not treated cyber risk as anything more than an IT problem, and now they – and we – are paying the price,” he said.
Davis said the UK government’s latest five-year national cyber security strategy articulates an expectation from business to have a detailed understanding of the risks to their systems networks and to raise standards in the effort to mitigate them.
“It is a clear demand to business to do their part in securing the economy, the country and its citizens, and a promise that regulators would assure cyber risk is being managed to the level demanded by the national interest. Tesco has proven this to be necessary,” he said.
Security risk concerns
These types of high profile hacks are propelling cyber security to the top of board risk concerns, according to Nik Whitfield, CEO of big data security analytics firm Panaseer and former head of the banking technology business at BAE Systems Detica.
“The changing digital environment is challenging firms everywhere with regards to security. You not only need to be able to detect and respond to threats at the speed of business, you also need to understand what your security posture is, what that means in terms of how easy it is for threats you face to compromise your systems, and what business impacts you are exposed to as a result,” he said.
According to Whitfield, being able to understand and explain a company’s current security posture to clients, regulators and insurance companies is only going to become more important.
“To do that, organisations must use data to get an accurate and timely picture of how secure they are, because that picture can shift day-to-day either because your internal environment changes, or because of factors outside your control such as a new vulnerability being discovered,” he said.
Read more about online banking and cyber security
- There was a 48% rise in the amount of money stolen from UK online bankers in 2014 as criminals pilfered more than £60m.
- Advanced Trojan that has been targeting different regions is now preparing to hit UK banks, according to IBM X-Force Research.
- A reporter on the BBC Radio Four You and Yours programme has managed to hack a NatWest online bank account and extract cash.