A probe has been reportedly launched into Tesco Bank, in efforts to determine whether the bank failed to heed warnings of a security flaw in its payment systems, which may have allowed hackers to make away with millions of pounds. Authorities believe that the bank may have failed to act on a warning from Visa, issued out a year ago, according to reports.
Investigators at the National Crime Agency (NCA) and the Financial Conduct Authority (FCA) believe that the hackers used customised computers to leverage an alleged Code 91 glitch, which allowed them access to customers' card data.
Andrew Tyrie, chairman of the Treasury select committee has reportedly said that he and his committee are closely following the investigation. He allegedly indicated that regulatory action against the bank may be taken, if any evidence of wrongdoing is uncovered.
"The recent lapse in security at Tesco Bank, which enabled criminals to directly access the money of thousands of customers, was unprecedented in its seriousness," Mr Tyrie said, The Times reported.
Visa had reportedly warned banks about low-value transactions in particular. The firm had allegedly cautioned that cybercriminals could attempt to siphon off relatively small amounts from victims' accounts, as a way to verify the validity of credentials, before launching a large-scale attack.
Three unspecified sources told The Times that while most banks updated their systems; Tesco Bank allegedly ignored the warning, leaving its systems vulnerable to cyberattacks. In the event that the probe finds any evidence of the bank having ignored warnings, Tesco Bank could face penalties as well as potential backlash from its customers.
"We can confirm that earlier this month the FCA alongside other authorities and agencies communicated with banks to highlight certain concerns regarding debit card payments. We do this as part of our business practices when needed. Due to the ongoing criminal investigation, we can't comment any further," FCA spokesperson said, according to The Times.
"In general, the FCA requires banks to have systems and controls to counter the risk that they are misused for the purposes of financial crime risk of all types, including fraud, money laundering and data security breaches.
"A bank is required to refund all unauthorised transactions within 24 hours, providing that the transaction was not compromised by a customer or made over 13 months ago," the spokesperson added.
A spokesman for Tesco Bank said: "We identified the fraud quickly and communicated immediately with our customers, the Financial Conduct Authority and National Crime Agency. This remains a criminal investigation. We refunded each customer account in full and have taken steps to help to reassure our customers that they can bank safely and securely at Tesco Bank. We have also confirmed directly with every customer affected that none of their customer data was lost or stolen.
"This incident has highlighted that all banks need to work together in the interests of all customers and the financial system," the spokesperson told The Times.
Tesco Bank earlier confirmed that the cyberattack saw £2.5m ($3.09m) stolen from 9,000 customer accounts.