The U.K.’s Tesco Bank was hit by what it described as a “systematic, sophisticated” hack over the weekend that saw large amounts of money swiped from customers’ accounts.
It was initially thought that some 20,000 accounts had been targeted. However, on Tuesday, the bank confirmed that 9,000 customers had money taken from them in the online heist, and that the bank had made refunds to all those affected to the tune of 2.5 million British pounds (about $3.1 million U.S.), according to the BBC.
The bank added that no personal data was compromised in the attack.
After the hack was discovered on Sunday, when thousands of shocked customers reported fraudulent activity on their accounts, officials at the bank made the decision to temporarily stop online transactions. Customers with money still in their accounts were still able to use their cards for ATM cash withdrawals, store payments, and all existing bill and direct debit payments.
All of Tesco Bank’s services are now operational again, while an investigation is underway to discover how the attack took place and who was behind it.
While banks are often the target of online fraud through methods such as phishing scams, having money stolen directly from accounts in this manner has clearly taken many by surprise. The U.K.’s Financial Conduct Authority (FCA) regulatory body went so far as to describe the fraud as “unprecedented.”
FCA chief Andrew Bailey told a committee of lawmakers this week that he had concerns regarding weaknesses in banks’ complex IT systems.
He said that elaborate systems meant there were potentially more points of entry for cybercriminals to exploit, adding, “The heart of concern is what is the root cause of this [Tesco attack] and what it tells us about the broader threats.”
Tesco is a household name in the U.K. thanks to its prominence in the supermarket industry. While its first grocery store opened almost 100 years ago, it only launched its first bank in 1997, in a joint venture with the Royal Bank of Scotland.
This week’s hack is a major embarrassment for the bank, and the pressure is on for it to reassure customers that its IT systems are secure enough to prevent a similar kind of incident in the future.