Re: Not sure how the trojan theory would work out...
"Ordinary card cloning (from manipulated ATMs or POS terminals) is unlikely as well - that wouldn't explain the large number of cases on this one bank."
This was my thought as well. Given that the attack appears to have targeted only Tesco, any customer-based attack such as cloning cards or phone and/or PC malware seems pretty unlikely, since these would almost always catch customers of multiple banks. It almost has to have been either an inside job or some vulnerability specific to Tesco's systems (I guess the former is technically a subset of the latter).