40,000 Compromised Accounts at Tesco in 24 Hours

Tesco experienced a significant online fraud breach over the weekend with over 40,000 fraud attempts of customer accounts through their Online Banking channel.

Tesco admits that they stopped about 50% of the fraud attempts but 20,000 customer accounts appear to have been compromised with a fraud loss.

Customers that had fraud noticed withdrawals from their accounts of between 500 GBP and 2500 GBP with many of the transactions being made in Spain and Brazil.

In response to the massive fraud attack, Tesco took the unprecented step to freeze all online banking access to their more than 140,000 current account customers.

The Telegraph posted a copy of text that Tesco sent to all their customers yesterday informing them of the freeze.  In the meantime, the blockage resulted in customers not being able to get through to the telephony channel with their inquiries with wait times soaring.

tesco-text

Fraud Rate Soars, Breach is Suspected

With 140,000 current accounts, and 40,000 of those accounts compromised in less than 24 hours that means in every 3 customers had their current accounts compromised.

While Tesco is not admitting the source of the problem, it appears likely that a massive breach could be behind this significant fraud attempt.

Or worse, this could be an inside job.  Banks like Tesco are worried that an employee could easily sell a tranche of hundreds of thousands of customer credentials and accounts to an outside criminal organization.

Do the Math.  The Problem is Massive.

Assuming 20,000 accounts had successful withdrawals of between 500 GBP and 2500 GBP, that means that the fraud losses will be between 10-50 million in a 24 hour period.

With such massive losses racking up by the hour, it is no wonder that Tesco took the unprecented step of turning off online banking for their more than 7 million customers.

Loose Security Protocols?

This isn’t the first time experts would suspect a breach at Tesco.  In 2014 Troy Hunt published an expose of how he believed a prior hack at Tesco had occurred.  You can read it Here – How The Tesco Hack Happened.   At that time he found numerous security flaws include no protection against brute force attacks on their online banking channel.

I don’t know what their “limit is”, but there’s 20 consecutive failed login attempts against my account with no lockout. I’m still able to successfully login immediately after all those failed attempts.

Frank McKenna is the Chief Fraud Strategist for PointPredictive and a Fraud Consultant based in San Diego California