Tesco Bank, owned by Britain’s biggest retailer Tesco, halted all online transactions on Monday after money was stolen from 20,000 accounts in the country’s first such cyber heist.
The bank, which manages 136,000 current accounts, did not explain how the thefts had happened but said it would repay people who had lost money in the online bank heist, which targeted 40,000 accounts in all and fueled fears about the British financial sector’s vulnerability.
Tesco Bank’s Chief Executive Benny Higgins told the BBC he thought “relatively small amounts” had been stolen, but the bank declined to give details of how much money in total had been taken or if it knew how the thefts had transpired.
It said “online criminal activity” had resulted in money being “withdrawn fraudulently.” Higgins said the cost of refunding people under its regulatory obligations would be “a big number but not a huge number.”
Cyber security experts said they were still lacking many details about the incident but that it could go down as one of the biggest digital heists on record.
“It is remarkable how many of these accounts were compromised and then pillaged in a relatively short period of time,” Tom Kellermann, an expert in cyber crime who is chief executive of U.S.-based investment firm Strategic Cyber Ventures, said.
Lawmaker Andrew Tyrie, chair of parliament’s powerful finance committee, criticized both banks and regulators for doing too little to improve cyber security after a string of technical failures and breaches of banking systems.
“We can’t go on like this,” Tyrie said in a statement, pledging to take up the issue with both Tesco Bank and regulators.
“Millions of customers remain unnecessarily exposed to the risk of IT failures, including delays in paying bills and an inability to access their own money,” he said.
Get Data Sheet, Fortune’s technology newsletter
Tesco Bank’s website carried a statement from Higgins apologizing to customers all day on Monday. The bank has about 8 million customers in total, including many who use its credit cards or insurance products but not its current accounts.
Shares in supermarket chain Tesco, which wholly owns Tesco Bank, were down 1.85% at 200.70 pence by 1445 GMT.
Customers could still use their bank cards in shops or to withdraw cash from ATMs, though some voiced frustration at having online transactions blocked.
“Tried to order pizza for dinner but @TescoBank has stopped online transactions. Cheers. What happens when I want to do my online shopping?” Twitter user Catherine Cutting asked.
Rise in Cyber Attacks
The bank is a minnow in Britain’s retail banking market, with about 2% of current accounts, and represents only a small part of Tesco’s overall business.
It contributed 503 million pounds ($623 million) to the group’s revenue of 24.4 billion pounds in the first half of its 2016-17 financial year.
But while the financial hit to the group may be limited, Tesco Bank risks serious reputational damage.
“I will be writing to Tesco Bank’s Chief Executive to find out what went wrong, and what actions are being taken to reduce the likelihood of it happening again,” Tyrie said.
Other British banks have been targeted by such attacks in recent years, but the Financial Conduct Authority (FCA) regulator said it was not aware of any previous incident in which customers had lost money.
Reported attacks on financial institutions in Britain have risen from just five in 2014 to more than 75 so far this year, according to FCA data, but bank executives and providers of security systems say many attacks go unreported.
HSBC apologized earlier this year after its U.K. personal banking websites were shut down by a “denial of service” attack, but no customer funds were at threat.
Other well-known British brands hit by significant cyber attacks over the past year include telecoms firms TalkTalk and Vodafone, business software provider Sage and electronic goods retailer Dixons Carphone.
Outside Britain, Bangladesh Bank lost $81 million in February after yet-to-be-identified cyber criminals hacked into its Dhaka headquarters and pulled the money out of its account at the Federal Reserve Bank of New York using fraudulent SWIFT wire transfers.
