Last checked at 
* 9,000 customers robbed in 'unprecedented' raid
* New cyber security body investigating nature of attack
* Money repaid as of 2200 GMT Tuesday
* Other small banks could also be vulnerable -experts (Recasts, adds Tesco statement)
By Lawrence White and Tom Bergin
LONDON, Nov 8 (Reuters) - Retailer Tesco Plc's banking armsaid on Tuesday that 2.5 million pounds ($3 million) had beenstolen from 9,000 customers over the weekend in what cyberexperts said was the first mass hacking of accounts at a westernbank.
Tesco Bank said it had resumed full service after the theft,which forced the suspension of online transactions on Monday.
"We've now refunded all customer accounts affected by fraudand lifted the suspension of online debit transactions so thatcustomers can use their accounts as normal," Tesco Bank CEOBenny Higgins said in a statement.
The bank, whose operating income has accounted for as muchas a quarter of Tesco's total in some years, added that nocustomer data had been compromised.
The National Cyber Security Centre (NCSC), a new governmentbody, said on Tuesday that it was working with criminalinvestigators and Tesco to understand the nature of an attackdescribed as "unprecedented" by the financial regulator.
The NCSC and Britain's National Crime Agency said they couldnot remember another confirmed case where thieves had stolenlarge sums of money via a mass hacking of accounts at a Westernbank.
The bank has provided few details about what happened. It isnot clear how online thieves broke into the bank, how theypulled out the funds or how much was stolen. It is also notclear if there are any suspects.
A spokeswoman for Tesco declined to comment beyond itsprevious statement on Monday.
SMALLER BANKS AT RISK
Cyber experts said that smaller banks, like Tesco's, aremore vulnerable to attack than global financial institutions,which have bigger cyber security budgets.
JPMorgan, for example, has disclosed that it spendsabout $600 million on cyber security annually.
"Smaller and medium-sized companies may be more vulnerable,many of them have not invested properly in security measures andan incident like this should stimulate them to think again,"said Sergio Romanets, cyber security expert at consultantGreyspark Partners in London.
Cyber and IT security risks have received little coverage inTesco Bank's most recent annual report, according to a Reutersanalysis, with just one mention - saying "of note is theindustry-wide attention on cyber-crime".
Rival J Sainsbury Plc's bank unit and Metro BankPlc, two other smaller "challenger" banks in Britain,each mention cyber and information security at least three timesin their most recent annual reports. By contrast, among thecountry's biggest banks, Santander UK has at least 49 mentions,Barclays at least 14 and Lloyds 32.
Tesco Bank runs on separate IT systems from the group'sretail unit. The lender was originally set up as a joint venturewith Royal Bank of Scotland and Tesco Plc in 1997 beforebecoming wholly owned by the retailer in 2008.
U.S. financial technology provider Fiserv providesits online retail banking platform and its financial crimeprevention system, according to Fiserv's website.
"There is no indication that our software or services wereinvolved in the incident that Tesco Bank experienced over theweekend. Nonetheless, we are offering our support in whatevermanner will be helpful to Tesco Bank," a spokeswoman for Fiservsaid in an emailed statement to Reuters.
Tesco Bank has spent 500 million pounds ($618.75million)building up its technology platform over the past sevenyears since the split with RBS, accounts show.
Britain's financial regulator sought to reassure the publicon Tuesday that financial authorities were working to understandthe nature of the attack.
On Monday, lawmaker Andrew Tyrie, chair of Parliament'spowerful finance committee, said both banks and regulators haddone too little to improve cyber security.
Reported attacks on financial institutions in Britain haverisen from just five in 2014 to more than 75 so far this year,according to Financial Conduct Authority data, but bankexecutives and providers of security systems say many attacks gounreported.
($1 = 0.8081 pounds) (Additional reporting by Andrew MacAskill, Jim Finkle and EricAuchard; Editing by Mark Potter, Pravin Char and Dan Grebler)
