Skip to main content

A Busy Month for Cyber Attackers: Tesco Bank, Three Mobile and Muni

(Image credit: Image Credit: Welcomia / Shutterstock)

Last month we witnessed, once again, the might of the modern cyber-attacker. Tesco Bank, Three Mobile and Muni, San Francisco’s transit system, were all publicly outted when their networks were hacked – proving once again that cyber security can affect us all. 

Tesco Bank

Tesco Bank, a popular UK retail bank, was breached in early November, affecting 9,000 customers. Tesco shelled out over £2,500,000 to those who lost money – but their loss was not purely financial, their business integrity was cast into doubt. As trust forms the bedrock of business for banks, once this is questioned the reputational damage can be irreparable.

It is estimated that financial institutions are 300 times more vulnerable to a cyber-breach than any other, despite the sector being one of the most cyber security-mature. Traditional security measures can no longer be considered sufficient when it comes to protecting financial information, and much of this comes down to increases in complexity. 

Security teams in banks and other large businesses are struggling to monitor digital activity across an ever-bigger, ever more diverse network. Combine this with the challenge of an increasingly sophisticated threat, and human security teams are inevitably going to miss the silent and stealthy attacks capable of bypassing network borders. 

Three Mobile

Up next in the media spotlight: Three Mobile. Here, the data of 130,000 customers was exposed when hackers exploited employee credentials to gain access to customer data including names, date of births and contact details, without triggering security alarms.

Three Mobile’s rapid identification, investigation and engagement with law enforcement to arrest three men in connection with the attacks might have helped minimise the reputational and financial damage at stake. However, initial news of the attack ignited panic on social media, demonstrating the importance of post-breach contingency plans, including PR.

Security teams should now be asking themselves: would I be able to notice if something that appears to be legitimate, is actually fraudulent? More frequently we are seeing wily hackers use employee logins to disguise themselves on the network and carry out attacks from the inside, undetected.

Hackers are using increasingly sophisticated methods of attack making it difficult to distinguish between innocent insiders and malicious attackers. Only by gaining visibility into their internal systems and understanding what ‘normal’ looks like, can organisations detect the subtle behaviours which are, in fact, illegitimate and need investigating. 


The commuters of San Francisco got a free ride to work a few weeks ago after San Francisco’s transport agency, Muni, was hit by ransomware.

Over 2,000 computers, critical to the safe running of the major city’s transportation system were infected with the variant of the HDDCryptor malware. Normal operations ground to a halt and the criminals held Muni to a ransom of around half a million dollars.   

This will not be the last attack we see on public transport. Trains, trams and buses are an essential part of modern life, however, outdated and under-resourced, they are juicy targets for cyber-criminals wanting to wreak havoc en masse. Defenders of critical infrastructure and data cannot afford to wait any longer in modernising their systems and implementing self-learning methods to catch threats while they are active internally. Note to the security team: don’t expect to catch the attacker as they walk through the gate. 

Machine Learning – Catching Threats Before Disaster Strikes

The bottom line must be that we cannot continue with security status quo, when the rules have changed. The threat is inside the network. Just like the human body is constantly battling with viruses, organisations need to constantly monitor for compromises with immune system technology that fights back fast. By developing an ‘immune system’ for their networks, companies can identify suspicious behaviours as they emerge, and respond to them before serious damage is done. This is the best chance we have to even out the battlefield.  

Machine learning enables this immune system approach and is already detecting and automatically responding to previously unidentified threats in a number of organisations across the world.

For instance, Darktrace recently discovered that biometric scanners, used to restrict access to machinery in an Asian manufacturing company, had been compromised through software vulnerabilities. Using machine learning to detect unusual network behaviours, attackers were found to be changing legitimate biometric data with different data – quite possibly their own fingerprints. No signature existed for that type of threat and it would have gone unchecked by legacy controls. Fortunately, Darktrace was able to flag it to the organisation in time to avoid a physical intrusion and potentially catastrophic damage.

In another case, a charity in California suffered a ransomware attack via a spear phishing campaign. The attacker sent an email containing a fake invoice, supposedly coming from a stationary supplier known to the company. The charity’s receptionist opened the attachment, and as soon as she did, JavaScript within the document connected her computer with a server in Ukraine. This downloaded malware began to encrypt company files within minutes, but Darktrace had identified the attack as quickly.

The speed of ransomware is virtually impossible to deal with using legacy approaches. Fortunately, in this instance, machine learning technology alerted the organisation fast enough for the receptionist’s desktop to be disconnected from the network – preventing the ransomware from spreading further.

Clearly, from observing both the high-profile attacks and those that escape the headlines, machine learning is a truly powerful tool in tackling today’s threats before they can cause crisis. Armed with automation and better visibility, defenders now stand a chance in combatting the evolving cyber-threat, which is a growing concern for all. 

Image Credit: Welcomia / Shutterstock

Dave Palmer
Dave Palmer, Director of Technology at Darktrace, has over ten years' experience at the forefront of government intelligence operations, working across GCHQ and MI5. At Darktrace, Dave oversees the mathematics and engineering teams.