Tesco Bank criticised for its “lax” security system

Tesco Bank criticised for its “lax” security system

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Following what was dubbed as the largest cyber-attack in U.K. banking history, Tesco Bank has a lot to answer for in terms of the ‘suspicious activity’ of 40,000 bank accounts, which led to thousands being successfully hacked, and money going missing.

What originally was thought to be a hack into 20,000 customer accounts was revised down to 9,000, in which £2.5 million was stolen.


Not that it makes the situation any better, but Tesco Bank has reimbursed all stolen funds from the cyber-hack. The National Cyber Security Centre (NCSC) is now on board to investigate what happened and make sure this sort of thing doesn’t happen again.

The NCSC is an authoritative voice on information security in the U.K. who aims to ensure that people are safer online, and to ensure that the critical national infrastructure of the U.K. is good.

The NCSC along with the National Crime Agency are looking into the cyber-attack.

Cybersecurity expert thoughts…

Cybersecurity experts like Ian Mann said the size of the breach indicates that Tesco’s internal system was hacked. Mann criticises Tesco’s system by stating that the method of access for its customers was “weak for this type of system”.

The reason for this is because the username is your email address by default, and you are only required to enter certain digits from your numeric PIN, according to reports. By only requiring limited digits, it could make it almost impossible to encrypt the PINs. Without an encrypted PIN, this could have given easy access to the hacker(s) by revealing all usernames and passwords.

Another cyber-security company Cyberint said that warning signals were posted on several dark web forums, with hackers/members commenting on Tesco Bank being a “cash milking cow” and “easy to cash out”. The forum detailed how members were discussing a “brute forced” technique to access the bank accounts, and this was apparently tested on thousands of login and passwords until one worked.

There are no substantial links between the stolen money and these claims, but it’s very coincidental. It’s hard to pinpoint one answer to the data breach, as the Bank has declined to comment as it is part of an ongoing criminal investigation.

Tesco Bank ignored warning signals

There seems to have been multiple warning signals as a second cybersecurity company said it had warned Tesco of some problems related to its mobile apps four months prior to the incident. With Tesco being a ‘second-tier’ bank, this may have been difficult for them to develop coherent mobile security software when compared with the top tier banks like Natwest and Barclays.

Financial penalties

As a company, Tesco Bank seemingly failed to adhere to the Data Protection Principles stemming from the Data Protections Act – that organisations have a duty to protect their customers’ data from data breaches. By failing to do so, Tesco will probably be penalised by the Information Commissioner’s Office (ICO). The ICO has the authority to impose fines of up to £500,000. Following a revamp of EU data protection rules, I’m sure Tesco will be writing a hefty cheque for its failure to protect their customers’ data, as there is one estimate that Tesco will be fined nearly £2 billion under the new General Data Protection Regulation.

Lesson learned

This is a word of warning for all companies and organisations that cybersecurity should be at the forefront of everyone’s mind. If companies are proactive about their cybersecurity, they wouldn’t have to face the disastrous consequences. I’m sure this will be a lesson learned for Tesco Bank to take data protection more seriously.


Start Your Claim

You can call our claims team free from a landline or mobile on 0800 634 7575 or click on the link below to create a call back with one of our expert Data Claims team.Information on how we handle your data is available in our Privacy Policy.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

Contact is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon