LONDON (Reuters) - Tesco Bank, owned by Britain's biggest retailer Tesco, halted online transactions from all current accounts on Monday after money was stolen from 20,000 of them in the country's first such cyber heist.
The bank, which manages 136,000 current accounts, said it would repay people who had lost money in the attack, which targeted 40,000 accounts in all and fuelled fears about the British financial sector's vulnerability.
Tesco Bank's Chief Executive Benny Higgins told the BBC he thought "relatively small amounts" had been stolen, but the bank declined to give details of how much money in total had been taken or if it knew how the thefts had transpired.
Other British banks have been targeted by hackers in recent years, but the Financial Conduct Authority (FCA) regulator said it was not aware of any previous incident in which customers had had money stolen.
Tesco Bank said "online criminal activity" had resulted in money being "withdrawn fraudulently". Higgins said the cost of refunding people under its regulatory obligations would be "a big number but not a huge number".
In an updated statement late on Monday, the bank said it had begun refunding all affected customer accounts and expected to complete the process by the end of Tuesday.
Banks and cyber security experts in the United States said they were eager for more information.
"This is something we want to follow very closely," American Bankers Association senior vice president, Doug Johnson, said.
"We want to learn exactly what happened here and take lessons learned so these attacks don’t cascade from one institution to another."
British lawmaker Andrew Tyrie, chair of parliament's powerful finance committee, criticised both banks and regulators for doing too little to improve cyber security after a string of technical failures and breaches of banking systems.
"We can't go on like this," he said in a statement, pledging to take up the issue with both Tesco Bank and regulators.
"Millions of customers remain unnecessarily exposed to the risk of IT failures, including delays in paying bills and an inability to access their own money," he said.
Tesco Bank's website carried a statement from Higgins apologising to customers all day on Monday. The bank has about 8 million customers in total, including many who use its credit cards or insurance products but not its current accounts.
Shares in Tesco, which wholly owns Tesco Bank, closed down 1.1 percent at 202.5 pence.
Customers could still use their bank cards in shops or to withdraw cash from ATMs, and existing bill payments and direct debits were continuing as normal. But some current account holders voiced frustration at the block on online transactions.
"Tried to order pizza for dinner but @TescoBank has stopped online transactions. Cheers. What happens when I want to do my online shopping?" Catherine Cutting tweeted.
The bank is a minnow in Britain's retail banking market, with about 2 percent of current accounts, and represents only a small part of Tesco's overall business.
It contributed 503 million pounds ($623 million) to the group's revenue of 24.4 billion in the first half of its 2016-17 financial year.
But while the financial hit to the group may be limited, Tesco Bank risks serious reputational damage.
"I will be writing to Tesco Bank's Chief Executive to find out what went wrong, and what actions are being taken to reduce the likelihood of it happening again," Tyrie said.
Reported attacks on financial institutions in Britain have risen from just five in 2014 to more than 75 so far this year, according to FCA data, but bank executives and providers of security systems say many attacks go unreported.
HSBC apologised this year after its UK personal banking websites were shut down by a “denial of service” attack, but no customer funds were at risk.
Other well-known British brands hit by significant cyber attacks over the past year include telecoms firms TalkTalk and Vodafone, business software provider Sage and electronic goods retailer Dixons Carphone.
Outside Britain, Bangladesh Bank lost $81 million in February after yet-to-be-identified cyber criminals took money out of its account at the Federal Reserve Bank of New York using fraudulent SWIFT wire transfers.
Additional reporting by Michael Holden, James Davey and Huw Jones in London and Jim Finkle in Boston; Editing by Louise Ireland