Hackers Pull Off Digital Bank Robbery, Steal £2.5 Million From 9,000 People

Chris Gaetano
Published Date:
Nov 11, 2016

Hackers broke into a U.K. bank this week and stole 2.5 million pounds (roughly $3 million) from 9,000 account holders, choosing to ignore the personal data that that typified other recent breaches and go straight for the money, according to the BBC. The target, Tesco Bank, refunded all affected customers, as British law requires that banks refund all unauthorized payments immediately in the event of fraud unless there is evidence the customer was at fault or the unauthorized payment took place more than 13 months ago. 

While investigation into the matter is still ongoing, authorities believe that an internal security breach may be to blame, with one member of Parliament saying it was the work of a foreign power, according to The GuardianInfo Security Magazine said there could be a link with a particular type of malware called Retefe, a sophisticated Trojan horse that disguises itself as a benign email attachment to lift passwords that could be used to access other parts of the system. The malware has also been spotted this year in Switzerland, Sweden and Japan. The Register also pointed out that the bank's systems seemed particularly easy to compromise, as the default user login was the account holder's email address, and required only numbers for its passwords. 

The hack was unusual in the sense that it directly stole money from bank customers, versus just their personal information, according to The Wall Street Journal. For example, when hackers broke into JP Morgan two years ago, they lifted personal information from 76 million customers, but no funds had been stolen. However, it's not completely unprecedented: in 2013 hackers targeted multiple banks in a short time to steal hundreds of millions of dollars (as well as make random ATMs spew cash), while earlier this year hackers attempted to steal nearly a billion dollars from the central bank of Bangladesh and managed to make off with $80 million before being detected. 

Click here to see more of the latest news from the NYSSCPA.