The attack on Tesco Bank which led to money disappearing from 20,000 accounts “looks unprecedented in the UK”, a regulator has said.
Andrew Bailey, chief executive of the Financial Conduct Authority (FCA) told MPs he was worried about weaknesses in banks’ complex IT systems.
About 40,000 accounts saw suspicious transactions over the weekend, of which half had money taken.
Mr Bailey said he was confident that all those affected had been identified.
Tesco Bank said that it was working as fast as possible to refund customers’ accounts and expected to do so for all those affected by the end of Tuesday.
Online shopping blocked
Tesco Bank said it was hit by a “a systematic, sophisticated attack” at the weekend. An estimated one in seven Tesco Bank current accounts were affected.
The bank’s chief executive Benny Higgins said the bank knew “exactly” what the attack was, but could not say more because it was part of a criminal investigation.
Current account customers have been blocked from making online payments using their debit card since Sunday.
Mr Bailey, who was appearing before the Commons Treasury Committee, said the FCA and the bank wanted this function switched back on for customers as soon as possible.
He said that there was no shortage of resources to call on to react to the attack at the weekend, with security services, government and Treasury officials all informed.
The National Crime Agency (NCA) is leading the investigation into the case.
Tesco Bank has not outlined any more details about the method of attack, nor when debit card use will be fully functioning again.
Despite a series of questions from BBC News on this, no more details are being offered at this stage.
Mr Bailey, of the FCA, expressed concern to MPs that cyber-fraudsters were looking for weaknesses in the system. The more complex banks’ IT systems were, the more potential “points of entry” were available for criminals.
“The heart of concern is what is the root cause of this [Tesco attack] and what it tells us about the broader threats,” he said.
The FCA itself admitted to not being “over-endowed” with IT expertise on its board, but it had recruited a technical adviser at board level two months ago.
Banks must refund unauthorised payments immediately in the case of fraud, unless they have evidence that the customer was at fault or the payment was more than 13 months ago.
Banks are also required to refund any charges or interest added to your account as a result of the fraudulent payments.
Tesco Bank has been owned by Tesco plc since 2008, after starting as a joint venture with Royal Bank of Scotland.