In a recent scandal, Tesco Bank customers had £2.5m taken from their accounts after a massive cyber-attack. The bank suspended online banking for all of the 136,000 customers who use it.  They claim that 9,000 customers were affected and that users’ “personal data has [not] been compromised.” It was initially reported that as many as 20,000 accounts may had been affected, but the actual number proved to be much lower. Most of the accounts had small amounts of money taken from them, but some customers lost hundreds of pounds or even as much as £1,500 in the attack.

Tesco Bank refunded all of the money that was stolen from customers. The Financial Conduct Authority (FCA), which regulates financial firms, requires banks to refund any unauthorised payments from a customer’s account, unless they can prove that the fault lies with the customer, or if the transaction took place over 13 months ago.

Benny Higgins, Tesco Bank CEO, commented: “Our first priority throughout this incident has been protecting and looking after our customers and we’d again like to apologise for the worry and inconvenience this issue has caused.”

“We’ve now refunded all customer accounts affected by fraud and lifted the suspension of online debit transactions so that customers can use their accounts as normal.”

According to Higgins, the bank knows “exactly” the nature of the attack, but cannot publically say it due to an ongoing investigation from the National Crime Agency. He did say that it was  “a systematic, sophisticated attack.”

The Sunday Times reported that the criminals behind the attack used contactless smartphones payments to launder the stolen money. According to the paper, the thieves bought thousands of low-priced items from US and Brazil based shops, including the American electronics retailer, Best Buy.

Chief executive of the FCA, Andrew Bailey, described the scale of the attack as an “unprecedented” attack in the context of the UK. Bailey told MPs that “there are elements of this that look unprecedented and it is serious, clearly.”

Tesco Bank could be fined up to £500,000 by the Information Commissioner’s Office if they are judged to have failed to take preventative measures to stop customers’ personal data being hacked.