By Lawrence White and Tom Bergin
LONDON (Reuters) - British cyber security authorities are investigating the theft of money from thousands of Tesco Bank accounts as experts warned that other small banks could also be vulnerable to attack.
The National Cyber Security Centre (NCSC), a new government body, said on Tuesday that it was working with criminal investigators and Tesco to understand the nature of an attack described as "unprecedented" by the financial regulator.
The NCSC and Britain's National Crime Agency said they could not think of another confirmed case where thieves had stolen large sums of money via a mass hacking of accounts at a Western bank.
Tesco Bank, owned by retailer Tesco (L:TSCO), halted online transactions from all current accounts on Monday and said it would repay people who had lost money in an attack that targeted some 40,000 accounts, nearly a third of its 136,000 accounts.
The bank has provided few details about what happened. It is not clear how online thieves broke into the bank, how they pulled out the funds or how much was stolen. It is also not clear if there are any suspects.
A spokeswoman for Tesco declined to comment beyond its previous statement on Monday.
Cyber security experts said that smaller banks were attractive targets for hackers because they were not as well protected as big global financial institutions, some of which spend hundreds of millions of dollars a year on cyber security.
JPMorgan (N:JPM), for example, has disclosed that it is now spending about $600 million on cyber security per year.
"Smaller and medium-sized companies may be more vulnerable, many of them have not invested properly in security measures and an incident like this should stimulate them to think again," said Sergio Romanets, cyber security expert at consultant Greyspark Partners in London.
Britain's financial regulator sought to reassure the public on Tuesday that financial authorities were working to understand the nature of the attack.
"This looks unprecedented in the UK," Andrew Bailey, chief executive of the Financial Conduct Authority (FCA), told a parliamentary hearing.
He said customers should be compensated by the end of the day but that it would be difficult to restore full online services at Tesco Bank until the cause of the breach was fully understood.
His comments followed criticism of the industry on Monday from British lawmaker Andrew Tyrie, chair of parliament's powerful finance committee. He said both banks and regulators had done too little to improve cyber security, adding that he would take up the issue with Tesco Bank.
CYBER RISKS
Reported attacks on financial institutions in Britain have risen from just five in 2014 to more than 75 so far this year, according to FCA data, but bank executives and providers of security systems say many attacks go unreported.
Cyber and IT security risks have received little coverage in Tesco Bank's most recent annual report, according to a Reuters analysis, with just one mention - saying "of note is the industry-wide attention on cyber-crime".
Rival J Sainsbury (OTC:JSAIY) Plc's (L:SBRY) bank unit and Metro Bank Plc (L:MTRO), two other of the smaller "challenger" banks in Britain, each mention cyber and information security at least three times their most recent annual reports.
By contrast, among the country's biggest banks, Santander (MC:SAN) UK has at least 49 mentions, Barclays (L:BARC) at least 14, and Lloyds (LON:LLOY) 32.
Tesco Bank runs on separate IT systems to the group's retail unit. The lender was originally set up as a joint venture with Royal Bank of Scotland (LON:RBS) and Tesco Plc in 1997 before becoming wholly owned by the retailer in 2008.
U.S. financial technology provider Fiserv (O:FISV) provides its online retail banking platform and its financial crime prevention system, according to Fiserv's website.
"There is no indication that our software or services were involved in the incident that Tesco Bank experienced over the weekend. Nonetheless, we are offering our support in whatever manner will be helpful to Tesco Bank," a spokeswoman for Fiserv said in an emailed statement to Reuters.
Tesco Bank has spent 500 million pounds ($618.75 million)building up its technology platform over the past seven years since the split with RBS, accounts show.
($1 = 0.8081 pounds)