Tesco Bank has blamed a sophisticated cyberattack for the theft of money from 20,000 of its online current account holders, and says there still isn't any projected timeframe for when customers will regain access to internet banking.
A spokesperson for the bank confirmed to ZDNet that the company knows what caused the "systematic, sophisticated cyberattack", but wouldn't provide more information due to the ongoing criminal investigation into the incident, which saw suspicious activity in a total of 40,000 accounts.
As a result of the thefts, Tesco Bank has frozen online transactions for all of its 136,000 current account holders following what is has called "online criminal activity" spotted over the weekend.
Customers are still unable to make online banking transactions as a precaution against further fraud, with no indication of when activity will be back to normal. A Tesco Bank spokesperson told ZDNet the bank will "keep our customers updated when there's further to say".
The National Crime Agency has confirmed it is "coordinating with law enforcement" in response to the data breach. The Information Commissioner's Office is also examining the incident.
"We're aware of this incident and are looking into the details. The law requires organisations to have appropriate measures in place to keep people's personal data secure. Where there's a suggestion that hasn't happened, the ICO can investigate, and enforce if necessary," an ICO spokesperson told ZDNet.
Tesco Bank has begun the process of refunding customers who had finances stolen from their accounts by cybercriminals.
"We can reassure customers that any financial loss as a result of this activity will be resolved fully by Tesco Bank. This afternoon we began the process of refunding all customer current accounts that have been subjected to online criminal activity and we expect this process to be completed by the end of tomorrow," said Tesco Bank chief executive Benny Higgins.
Customers were informed of the fraudulent activity via text message on Saturday night and have been told they can still use their accounts for cash withdrawals and Chip-and-PIN payments, while all existing bill payments and direct debits will continue as normal.
Rt Hon. Andrew Tyrie MP, chairman of the House of Commons Treasury Select Committee, says the Tesco Bank incident represents "just the latest in a long list of failures and breaches of banking IT systems, exposing many thousands of customers to uncertainty and disruption".
Mr Tyrie will also be writing to Tesco Bank CEO Higgins to ask what actions are being taken to reduce the likelihood of a similar attack happening again. "We can't carry on like this," he said.