Tesco Bank may have left itself open to fraud by issuing debit cards with sequential numbers, according to a report by the FT.

Criminals last month drained £2.5 million from 9000 current accounts at the supermarket chain's banking operations in a hack that was described by Tesco Bank CEO Benny Higgins as "a systematic, sophisticated attack", and billed as "unprecedented in the UK" by the country's banking watchdog.

According to the FT, in the month since the Tesco Bank breach, the Financial Conduct Authority has contacted several British lenders to check if they too are using a sequential numbering scheme for their cards.

Researchers at Newcastle University earlier this month published a study which demonstrated how criminals could have speared the bank's defences by automatically and systematically generating different variations of the card security data and firing it at multiple websites.

Because the Visa card system does not detect multiple invalid payment requests on the same card from different websites, unlimited guesses can be made to find the correct expiry date and CVV code.

In a reply to an FT query, Tesco Bank refused to confirm or deny the report. “As this remains an ongoing investigation, we will not comment on specific questions regarding the incident," says the bank. "However, we will confirm that our first priority was, and remains, to ensure that our customers’ accounts are safe and secure, and that we communicate with our customers immediately and transparently.”

pdf Taking Command of Your GRC Journey (374 KB)