By Mr Andrew Charlesworth, Reader in IT Law, and Prof Keith Stanton, Professor of Law (University of Bristol Law School).
© Tesco Bank
The day has arrived on which a cyber attack has succeeded in breaching a bank’s security with the result that customers’ money has been taken from their accounts. According to press reports the accounts of around 40,000 customers of Tesco Bank have been accessed and the bank has refunded £2.5 million to 9,000 who have had money removed.
Banks’ IT systems are an obvious target for cybercriminals. The fact that such systems contain both money and data on customers makes them extremely tempting. As banks have developed new channels for delivery of services, such as websites, mobile applications and social media, these have often been added, or linked, to existing out-dated systems. This increased complexity may mean that new avenues of attack are inadvertently created, and make it difficult for a bank to rapidly pinpoint the source of system risks and breaches. The increased use of distributed computing, with multiple systems running across multiple servers, can also create new system risks and simultaneously increase the number of staff requiring access. While external threats are increasing, it appears that industry insiders remain responsible for a significant share of bank fraud. How the Tesco cyber attack was carried out remains unclear, but the scale and speed of the transfer of funds suggests a degree of sophistication. Continue reading