Re: Speculation and Rumour
Most of it is there in the article.
Tesco Bank was originally run by RBS for Tesco. Therefore if the vulnerability was in the banking system it's likely that RBS would also be affected because the most likely transfer of operations from RBS to Tesco would be reproduction of the RBS systems at Tesco. The fact that some ex-RBS people are involved suggests that this is probably true.
The NCSC says it doesn't affect wider UK banking i.e. there's a low chance that the problem is common to Tesco and RBS. Therefore it is something that Tesco has done that has introduced the problem. Connecting a banking system to any other system is risky, the staffer says it was connected to Clubcard. That would be a stupid thing to do. We don't know which other Tesco systems are connected but it's reasonable to suggest that retail systems will not be secured to the same standard as banking systems.
The staffer also says there's no protective monitoring for the Tesco systems. That's downright irresponsible but typical of low-margin retail which would not like to pay the high day rates for SOC analysts who know their stuff.
This is back to "I told you so" territory because any halfway decent Security Architect could have told them that connections to non-banking systems are a bad idea and that skimping on monitoring is a *really* bad idea.
Biting the hand that feeds IT
