Cybersecurity experts and IT auditors better saddle up — the world just experienced its first successful digital bank robbery.
The Tesco heist
Last weekend cyber criminals executed a sophisticated attack on Tesco Bank (subsidiary of the British grocery chain) and successfully stole £2.5 million (~$3.1 million) from customer accounts. While the money was refunded quickly and Tesco assured customers that no personal data was compromised, it’s still a huge security failure for them.
Reports initially said around 30% of the company’s 136,000 current accounts got hit. However, new numbers released by the company said only 7% were actually missing money.
So far, investigators have not released any information about possible suspects but one Member of Parliament is speculating it could be a foreign government entity (coughRussiacough) to blame. Let’s hope it’s not state-sponsored and it’s actually some run-of-the-mill criminal they can just lock up.
Digital bandits get creative
If you didn’t believe it before when we talked about cyber extortion, it is safe to say that now we are officially entering the digital wild west! This is the first time hackers actually succeeded in stealing money directly from a bank. The Wall Street Journal reports:
Criminals have hacked into banks before, but it is rare for them to actually withdraw money from customer accounts. Thieves targeted J.P. Morgan Chase & Co. two years ago and got access to names, addresses and other information of 76 million customer households, but the bank said they didn’t steal funds.
In general, most banks have an electronic vault that is hard to crack so it would be difficult for thieves to run away with actual moolah. But, that doesn’t mean banking data isn't a prime target for cybercriminals according to the 2016 Verizon Data Breach Investigations Report:
As consumers began to access financial information online, cybercriminals targeted the theft of both login credentials and ultimately the money in the accounts. Financial account login credentials can be used to exfiltrate money through transfers via online banking applications. Phishing and malware can team up to capture account and routing numbers to commit ACH Fraud. The Crimeware pattern makes another appearance in the form of banking Trojans (e.g., Zeus, Dyre and Dridex) that have evolved to efficiently target static and thus reusable banking information. Privilege Misuse by banking employees is another pattern that leads to banking data loss. Simply put, employees have access to this data, and often use it for their own gain solely or in collusion with external criminal groups.
The financial services industry ranked third in the number of of cyberattacks last year. Incidences occur daily but few are large enough to hit the news.
Banks fight back
Due to their vulnerability to cybercrime, banks are getting smarter — even banding together rather than going it alone with their security measures. For example, in August, the Wall Street Journal reported that eight mega banks started a cybersecurity club to share information and ideas.
It’s just too bad Tesco Bank wasn’t invited to the club. Tesco Bank's claim that “the security of your accounts is a priority for Tesco Bank” is almost laughable now. But, as a smaller bank with only 7 million customers (most of which are inactive), it might not have the resources to create a digital fortress like the bigger banks can. Just look at J.P. Morgan — its budget for cybersecurity this year alone is $600 million.
But, even without a big budget for cybersecurity, the company sure did get a reality check and has quite the headache to deal with now. Regulators are ready to hand out fines for shoddy controls. One estimate says the company may be on the hook for nearly £2 billion in fines under the EU’s General Data Protection Regulation.
Getting caught with their pants down sounds like it will be very expensive. Other banks, large and small, would be wise to learn from their mistake. Hey, I’m sure we could drum up a few rockstar IT auditors to test for vulnerabilities.
Are banks sitting ducks for this type of crime? Are companies and regulators doing enough to protect customers’ money?