(Repeats story with no changes to text)
* Three months on, no clarity on Tesco Bank hack method
* Attack is test case for new cyber agency, the NCSC
* Bankers say "gentleman's code" to share info broken
By Lawrence White and Ritvik Carvalho
LONDON, Feb 7 British banking executives and
security experts are growing frustrated at the dearth of
information available more than three months after 2.5 million
pounds ($3.09 million) was stolen from Tesco Bank in the UK's
biggest financial cyber heist.
Security officers normally share information on an informal
basis immediately after a major cyber incident so that the other
banks can check their systems, sources at four of Britain's
biggest lenders said.
In the case of Tesco Bank, a small lender with annual
profits of just 162 million pounds, details about exactly how
criminals stole the money and what vulnerabilities were exposed
have yet to be provided, however.
The case has exposed the lack of proper procedures to share
information as well as confusion over which government agency
has ultimate responsibility for the issue, lawmakers and
"It is very frustrating," a senior executive at one of
Britain's largest banks told Reuters. "The gentlemen's code has
A risk officer at another of Britain's biggest lenders said
a formal regulatory system was essential in a financial centre
like London where hundreds of banks of all sizes operate.
"I am not going to criticise them, the problem is
the structure," he said.
The Nov. 5-6 attack, which affected 9,000 Tesco Bank
customers, is the first major case to be investigated by
Britain's new National Cyber Security Centre (NCSC), working
with the National Crime Agency (NCA).
The NCSC brings together and replaces a host of bodies
including CESG (the information security arm of GCHQ), the
Centre for Cyber Assessment, Computer Emergency Response Team UK
and the cyber-related responsibilities of the Centre for the
Protection of National Infrastructure.
As regulatory authorities for the banking system, the Bank
of England's Prudential Regulation Authority and the Financial
Conduct Authority would also be involved in any regulations
governing financial cyber crime.
The NCSC did not respond to requests for comment on the
Tesco case. An NCA spokesman said: "The investigation is ongoing
therefore it would be inappropriate to comment further."
The new body is coming under pressure from the financial
industry and lawmakers to act quickly.
"It is up to the NCSC to institutionalise the sharing of
information and give some kind of obligation or requirement for
feedback after an attack like Tesco Bank," Troels Oerting, Group
Chief Information Security Officer at Barclays, told Reuters.
A team of academics from the University of Newcastle said in
December that a relatively unsophisticated method known as
'distributed guessing' could have been used to generate usable
card payment details in the November attack.
A spokesman for the bank, which is owned by leading
supermarket chain Tesco Plc, declined to discuss the
specifics of the case.
"We continue to work closely with the authorities and
regulators in their investigation of the criminal incident that
took place last year. Our priority throughout has been to look
after our customers," the spokesman said on Monday.
Bank executives and cyber security experts told Reuters in
October they feared Britain's banks are not reporting the full
extent of cyber attacks to regulators for fear of punishment or
($1 = 0.8097 pounds)
(Additional reporting by Andrew MacAskill; Editing by Sonya