Tesco
Tesco Bank says it has refunded all the customer accounts affected by the fraud on 6 November Jeff J Mitchell/Getty

Tesco Bank has said that an attack by cyber-thieves saw £2.5m ($3.09m) taken from accounts held by 9,000 customers – less than half what was initially thought. The bank claims that personal data "was not compromised" in the fraud, and that all the accounts affected will have been refunded by the end of Tuesday (8 November).

The bank described the incident as "a systematic and sophisticated attack" earlier this week, which left thousands locked out of their accounts. The fraud was detected by its internal fraud prevention system, with the bank fearing initially that 20,000 accounts may have had money removed.

The attack saw money taken from Tesco Bank accounts on Sunday (6 November) and a criminal investigation is underway. Andrew Bailey, the chief executive of the Financial Conduct Authority (FCA), earlier told MPs that the incident was "unprecedented".

"We've now refunded all customer accounts affected by fraud and lifted the suspension of online debit transactions so that customers can use their accounts as normal," said Tesco Bank chief executive Benny Higgins, according to the BBC. "We'd also like to reassure our customers that none of their personal data has been compromised."

Some current account customers said they lost significant amounts and many have found themselves blocked from making online payments using their debit card since Sunday. The move by the bank was said to have been made "to prevent criminal activity".

"We'd again like to apologise for the worry and inconvenience this issue has caused," said Higgins.

The fraud forced Tesco to block some customers' credit card activity, and the company have described the incident as "online criminal activity" rather than a cyber-attack. Higgins says that the bank knows "exactly" what the attack was, but is restricted from releasing details due to the ongoing criminal investigation.

The National Crime Agency (NCA) is leading the investigation into the case with assistance from the National Cyber Security Centre, the new division of the surveillance agency GCHQ, which was created in October.

Bailey told MPs earlier: "The heart of concern is what is the root cause of this [Tesco attack] and what it tells us about the broader threats. It looks like it's [in] online banking, [it] clearly appears to be on [the] debit card side of online banking, as far as we can tell. But it requires further urgent analysis."

Under UK law, banks are required to refund fraudulent payments unless they have evidence that the customer was at fault, or they occurred more than 13 months ago. They must also refund any charges or interest applied to an account in relation to fraudulent payments.