The National Crime Agency and the National Cyber Security Centre are looking into the theft. Photograph: Murdo Macleod for the Guardian

Tesco Bank has revealed that the “unprecedented” attack on its online accounts at the weekend resulted in the loss of £2.5m. The banking arm of the supermarket chain also revised down the number of accounts from which money was removed from 20,000 to 9,000 and announced that banking services had been restored for all its customers.

Tesco bank issued its update hours after Andrew Bailey, the chief executive of the Financial Conduct Authority, told MPs that the incident was unprecedented in the UK and regarded as serious. Bailey told the Treasury select committee that “there are elements of this that look unprecedented and it is serious, clearly”.

Benny Higgins, the chief executive of Tesco Bank, apologised to customers. “Our first priority throughout this incident has been protecting and looking after our customers, and we’d again like to apologise for the worry and inconvenience this issue has caused,” he said. “We’ve now refunded all customer accounts affected by fraud and lifted the suspension of online debit transactions so that customers can use their accounts as normal. We’d also like to reassure our customers that none of their personal data has been compromised.”

Tesco Bank said it was continuing to work closely with the authorities and regulators in their criminal investigation.

The National Crime Agency (NCA) is one of a number of organisations scrutinising what has taken place at the supermarket chain’s banking arm, which has more than 7 million customers.

The National Cyber Security Centre, the new division of the surveillance agency GCHQ created last month, confirmed it was working with the NCA, which has launched a criminal inquiry. The NCSC said it was “providing direct assistance to the company at their request, including on-site assistance”.

“In the case of cyber-related incidents, it can, on certain occasions, take a significant period of time to understand the incident given the technical complexities involved. So the story will emerge over time. During this period it is vital that nothing is said publicly that could interfere with the criminal investigation,” the NCSC said.

“Given the investigation thus far and the evidence at hand, the National Cyber Security Centre is unaware of any wider threat to the UK banking sector connected with this incident.”

Bailey told MPs that the FCA was in close contact with Tesco and the bank had reassured the regulator that the customers whose money had been stolen would be reimbursed by the end of Tuesday. He said it was too early to know the exact cause, but said it appeared to be related to debit cards and that computer hackers were looking for weaknesses and “points of entry” into banks.

“It looks like it’s [in] online banking, clearly appears to be on debit card side of online banking as far as we can tell. But it requires further urgent analysis ,” said Bailey. He said he was confident that Tesco knew which customers were affected by the incident which began to unfold on Saturday night when the bank began texting customers about unusual activity from their accounts.



A number of theories have circulated about the cause of the problem, including that it was caused by an internal security breach. Conservative MP Chris Philp, a member of the Treasury select committee, has raised the idea that it could have been the work of a foreign power. “I think we can’t rule out the possibility, at all, that this is state-sponsored,” he told the BBC earlier this week.



As the crisis was unfolding, Higgins had said the decision to suspend some banking activities was an attempt to protect customers from “online criminal activity”. He described the raid as “a systematic, sophisticated attack”.



The NCSC said its role was to provide support to the investigation, work with the company concerned to manage the incident, investigate the root causes, and use any lessons learned to provide future guidance and policy on cybersecurity.

The Information Commissioner’s Office is also scrutinising the situation. It fined telecom company TalkTalk a record £400,000 in October for failing to stop the personal data of 157,000 customers being hacked.

Andrew Tyrie, the Conservative MP who chairs the Treasury select committee, said after the hearing that “the attack on Tesco’s retail accounts is deeply troubling. Banks have a long way to go to improve the resilience and security of their IT systems”. Another member of the committee, Steve Baker, said: “the vulnerability of Tesco Bank highlights the crucial importance of technical security to the financial system.”