Sounds horribly complicated
"Some of these reported small fraudulent transactions of around £20 before larger transactions of £500 or more were attempted. Another report talked about cash had been fraudulently withdrawn from a customer’s account from an ATM in Rio de Janeiro, Brazil."
That could be a sign of someone testing out the process, but it sounds more like a bog-standard attack using cloned card, or knowledge of the pin, csv etc. All horribly complicated and very very embarassing for Tesco, although I suspect there are a lot of people in a lot of banks muttering "There but for the grace of $deity..."
<topical remoaner joke>Of course after Brexit, rip-offs like this will be impossible, as we'll be back in the Good Old Days, using leaves as currency. We'll just have to worry about highwaymen with pistols stopping the Mail Coach</rant>