The banking arm of UK supermarket chain Tesco has frozen transactions after revealing that money has been looted from 20,000 accounts.
The bank discovered the breach over the weekend, observing "criminal activity" in some 40,000 accounts, with funds disappearing from 20,000 customers.
The issue came to light after customers complained about money being withdrawn without permission, cards being blocked and long delays to get through to the bank on the phone. The bank has not revealed how much money was lost to the fraudsters, although customers reported that hundreds of pounds had been siphoned from their accounts, with one victim losing £2,400.
In a statement, the bank's chief executive Benny Higgins says: "As a precautionary measure, we have taken the decision today to temporarily stop online transactions from current accounts. This will only affect current account customers. While online transactions will not be available, current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments and direct debits will continue as normal."
The bank, which has more than seven million customers and 136,000 current accounts on its books, has yet to reveal the nature of the fraud, but says that it is working with the police and regulators to track down the missing funds.
Says Higgins: "We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank, and we are working to refund accounts that have been subject to fraud as soon as possible."
Andrew Tyrie, chair of the Parliamentary Treasury Committee lamented the latest in a long list of failures and breaches of banking IT systems, saying "We can't carry on like this".
"Millions of customers remain unnecessarily exposed to the risks of IT failures, including delays in paying bills and an inability to access their own money," he says. "I will be writing to Tesco Bank's Chief Executive to find out what went wrong, and what actions are being taken to reduce the likelihood of it happening again. Making sure that banks improve their IT systems, and their resilience to cybercrime, is also a responsibility of regulators. We will raise this issue with them again shortly."
UpdateStill no word from Tesco on the exact nature of the fraud, although the bank's chief Higgins describes it as "a systematic, sophisticated attack". Hauled before the Treasury Committee to provide an update on the investigation, FCA chief executive Andrew Bailey provided no further details, except to say that the attack "looks unprecedented in the UK".