Like many banking upstarts, Tesco Bank is competing on experience, a largely digital focus and rates. Unlike most upstarts, it has the power of a huge non-banking brand behind it.
While Tesco Bank is far from a banking behemoth, it has managed to build a profitable business with its customer base exceeding 7m.
But now, all of its gains are threatened by “a systematic, sophisticated attack” that affected 40,000 of the banks 136,000 current accounts and led to money being taken from more than 20,000 of them.
The Evening Standard called it “the most serious hack on the UK banking sector in recent history.”
In response, Tesco Bank has blocked online debit card payments and says that it will reimburse any losses from the apparent hack. “Customers are not at financial risk,” Higgins has reassured customers.
While cybercrime targeting financial accounts has become commonplace, the Tesco Bank attack is noteworthy for a couple of reasons.
First, while Tesco Bank is pointing out that relatively small amounts of money were taken from most accounts, the means by which a large number of accounts were apparently compromised is concerning. As the BBC explained…
…what is different is that it involves tens of thousands falling victim in a 24-hour period to what appears to be an automated process, rather than individuals clicking on links in phishing emails or having their details stolen after downloading malicious software.
That could involve the attackers exploiting a vulnerability in the bank’s website – or even gaining physical access to a branch and then the central systems.
Second, customers are not happy with Tesco Bank’s response. Affected customers reported difficulties in reaching customer service, and some who were able to reach customer service agents were apparently told that they would have to wait days for a resolution.
— Christopher Mills (@chrismi1) November 6, 2016
Even though branchless banks like Tesco Bank pride themselves on the 24/7 access they provide customers via phone, web and mobile apps, this incident highlights the fact that otherwise sufficient support networks might not be adequate when crisis strikes.
A possible setback for upstart banks, but what about fintech?
Already, observers like The Financial Times’s Claer Barrett are questioning whether the Tesco Bank attack will bolster trust in high street banks at the expense of startups.
While she points out that major high street banks are also vulnerable to security breaches, and big banks are not immune to reputation-threatening scandals of their own, this incident could create a perception problem for the Tesco Banks of the world.
Given that 78% of mobile banking customers are satisfied with the service, if big banks can convince consumers that they’re more secure, or let the failures of their startup competitors do that for them, it could make it much more difficult for Tesco Bank and others to lure consumers with promises of better experiences, lower fees and/or higher rates.
Whether the Tesco Bank attack has an impact beyond the banking sector remains to be seen. Some suggest that “the fallout will be felt across the wider fintech industry,” but while security is an issue for all financial service providers, there’s arguably less risk in other sectors that have been targeted by fintech startups.
For example, fintech players focused exclusively on markets like lending face very different risks, and few markets are arguably as sensitive to security as banking.
So while it’s possible that the Tesco Bank incident will cause consumers to think twice about doing business with a young fintech company, the effects will probably remain most pronounced in the market for bank challengers.