Tesco Personal Finance Plc, also known as Tesco Bank, may have exposed its customers to cyber crimes by issuing sequential debit card numbers that are easier for hackers to attempt to breach without detection, the Financial Times reported Dec. 12, citing rival lenders.
Earlier, the bank was reported to have ignored repeated warnings from internet security experts about its software applications being targeted by hackers. It paid £2.5 million to about 9,000 current account customers affected by "online criminal activity" over the Nov. 5 weekend.
The Financial Conduct Authority contacted other lenders to inquire if they issued sequential card numbers, FT said, citing "two executives of the banks contacted by the watchdog."
Tesco had issued sequential primary account numbers to customers — Visa debit cards have a six-digit issuer identifier number, a unique nine-digit primary account number and a single check digit — instead of random numbers generated by a software used at most banks, FT added citing "executives at two rival banks and a person briefed on Tesco's security operations."
The FCA and Tesco declined comment.
Hackers can easily guess security codes and expiry dates when cards are issued in a numerical sequence, cyber security experts told the newspaper.
Tesco's accounts hack is also being investigated by the U.K.'s National Crime Agency and National Cyber Security Centre, apart from the FCA.