Tesco Bank hacked – your rights and how to get a refund
Tesco Bank says it restored normal banking facilities for its 136,000 current account customers by Tuesday night and insists it has now refunded about £2.5 million to the 9,000 victims of fraud identified following Saturday's major hack. If you bank with Tesco, don't assume it's all been put right – we explain your rights and what to check.
The bank had suspended all online transfers and debit card payments since Saturday, though debit cards still worked in stores, as did direct debits, standing orders and cash withdrawals.
Tesco Bank has 7.8 million customer accounts across savings, current accounts and credit cards. It insists only current accounts were hacked into. The number of victims was originally suspected to be about 40,000 but in a statement issued on Tuesday night, it cut that figure to 9,000 – with an average £280 per person refunded.
In texts we've seen, it messaged customers on Tuesday night to say: "We wanted you to know that the issue has now been fully resolved.
"All services are available again, including paying with your debit card on the internet. We can confirm any fraudulent payments have been fully refunded and that your personal data was never compromised.
"Your existing card will continue to work as normal. We apologise again for the inconvenience and thank you for your patience and support."
MoneySavingExpert.com had been contacted by customers who criticised the lack of communication from Tesco Bank in the immediate aftermath of the hack and the length of time it had taken for those affected to get through to the company's call centre staff.
Tesco Bank current account customer? Check for suspicious transactions NOW
If all transactions are familiar, it's likely you've not been affected, though keep checking over the coming days in case transactions come through late. Hopefully, if anything's dodgy you can now see a refund for the amount originally taken.
If you see something suspicious that hasn't been refunded, call Tesco Bank on 0345 835 3353. Don't just assume it's been put right – check yourself.
Were you hit by the hack and are having problems getting a refund? Email news@moneysavingexpert.com.
Will Tesco Bank refund me for additional costs as a result of the hack?
It says it will cover "all out of pocket expenses". These could include charges for going overdrawn with Tesco if your funds were raided.
Or you could have been charged by other banks for late payments (eg, your mortgage or credit card provider) where a direct debit from Tesco was rejected because of a lack of funds due to fraud. It's worth contacting other providers to explain the situation if the hack led to missed payments.
Tesco Bank hasn't yet said what the process will be for claiming for additional costs but is asking customers to contact customer services on 0345 835 3353.
If I was unable to make payments due to the hack, will my credit file be hit?
It's possible some customers whose accounts were raided, leaving them without funds to pay loans, mortgages, credit card and other bills, may get a black mark applied on their credit file by the other bank.
We've yet to get full details from Tesco Bank on how it will be handling this, but we understand it won't be reporting late payments on its products resulting from the hack to credit agencies.
If you've missed a payment as a result of the hack, ask the provider not to report it – hopefully it should be sympathetic.
To make sure your credit score hasn't been affected, it's worth checking your credit file with the three agencies (Experian, Callcredit and Equifax) next month – see our Check your credit report for free guide for help). If you see a late payment that shouldn't be there, our Credit Scores guide helps explain how to get it wiped off.
Tesco Bank says it restored normal banking facilities for its 136,000 current account customers by Tuesday night
'Phones jammed'
We've heard from dozens of Tesco Bank current account customers on Twitter and via the MSE forum over the weekend who have voiced concerns about the situation:
Forumite Nationwide8 posted on Saturday: "44 mins and counting for Tesco Bank to answer the phone after I [received] an email from their fraud dept asking [me] to contact them urgently."
Another forumite Darcy macaw posted: "We also had [a] text and email to call Tesco Bank [regarding the] fraud, checked our accounts and [the] available amount is less than it should be. Unable to get through to Tesco despite calling twice and queuing for an hour each time."
How could this have happened?
Tesco Bank has declined to comment on how the hack occurred – it's currently investigating the incident. But MPs are not happy.
Andrew Tyrie MP, chairman of the Treasury Committee, says: "This is just the latest in a long list of failures and breaches of banking IT systems, exposing many thousands of customers to uncertainty and disruption. "At the beginning of the year, I wrote to the regulators urging them to take action to ensure that banks improve the resilience and security of their systems, and their IT expertise. "Millions of customers remain unnecessarily exposed to the risks of IT failures, including delays in paying bills and an inability to access their own money. "As for this case, I will be writing to Tesco Bank's chief executive to find out what went wrong, and what actions are being taken to reduce the likelihood of it happening again. Making sure that banks improve their IT systems, and their resilience to cybercrime, is also a responsibility of regulators. We will raise this issue with them again shortly. We can't carry on like this."
What does Tesco Bank say?
Tesco Bank chief executive Benny Higgins says: "Our first priority throughout this incident has been protecting and looking after our customers and we'd again like to apologise for the worry and inconvenience this issue has caused.
"We've now refunded all customer accounts affected by fraud and lifted the suspension of online debit transactions so that customers can use their accounts as normal. We'd also like to reassure our customers that none of their personal data has been compromised."