The scale of the Tesco bank hack was unprecedented and shook the industry to its core. Kirsten Bay, president and CEO at Cyber adAPT, looks at what happens next, what vulnerabilities have been exposed, and what lessons the industry can take away from the incident and its effect on consumer attitudes

The recent Tesco Bank hack has left the retail banking world reeling, searching for answers and more effective ways to secure networks against future attacks.

It has been revealed weaknesses in the bank’s mobile applications left the door open for cybercriminals to brute-force their way in and take more than £2.5m of customers’ money. Worse still, the bank had been warned by several security experts of this weakness prior to the attack.

How Tesco got it so wrong

It was the largest ever cyberattacks on a UK bank. One of the most significant things about the Tesco hack was that customer accounts were penetrated forcefully without any credentials, which has not happened before. Cybercriminals broke into Tesco Bank’s computer system and stole £2.5m from the current accounts of 9,000 customers.

The result was the scenario many people are most afraid of, that of waking up one morning and finding your bank account is completely empty.

Tesco had a responsibility to protect its customers and, by not doing so, has created an erosion of trust.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

What has tarnished consumer trust is the revelation of vulnerabilities that penetration testers had warned Tesco of several times prior to the hack.

While we now know Tesco was aware of the cracks in its security perimeter, it is clear that it either was not aware of the potential scale of the attack, or it simply was not equipped to deal with a cyberattack on this level.

In a moment of malicious compromise, Tesco should have had the appropriate detection and remediation protocols in place to stop the hackers before they could remove actual money from customer accounts.

Keeping pace with multiple threat vectors

With the increasing number of connected devices for cybercriminals to exploit, there are more threat vectors than ever for companies to protect.

It has never been so easy for cybercriminals to obtain confidential information. With the proliferation of mobile devices, social media and social engineering, there are now a million and one ways to reach an individual and gain the keys to the kingdom.

Platform firewalls can easily be misconfigured, creating backdoors for hackers to find vulnerabilities and exploit them. The more complex the network, the greater the likelihood they will make it in undetected.

The edgeless perimeter

Risks are now increasingly extending beyond the perimeter to the individual user via social engineering. We have already seen compromised chip sets, backdoors in operating systems, and rogue apps placing malware on the device.

The greatest element of concern in 2017 is how expanded attack vectors allow for lateral movement, with the bad guys looking to utilise mobile platforms as a means of gaining access to the core of the network.

While the Tesco Bank breach will elevate security further towards being thought of as a high-ticket item, many are left questioning how the industry will act together to resolve the issue.

Like the Heartland breach in the US in 2015, the company thought it was fully compliant and was still compromised, resulting in a year-long rehabilitation campaign.

Instead, we should be asking what the industry is doing wrong. The industry at large has not embraced the notion of hyper-connectivity, which means users and clients alike are all individual vectors of threat.