Wonga breach hits 245,000 UK customers
Nearly a quarter of a million UK Wonga customers may have had their data stolen in what could be one of the biggest data breaches in the country’s history.
The payday lender began contacting a reported 270,000 customers on Saturday 8 April after detecting what it has described as “illegal and unauthorised access to the personal data of some of its customers”.
Stolen information includes names, email and postal addresses, phone numbers, bank account numbers and sort codes, and the last four digits of bank card numbers, Wonga confirmed.
At this point, it’s unclear if the stolen data was encrypted or not, nor how the attackers were able to gain access – our sister site IT Pro has contacted the organisation for clarification of these points, but we hadn’t received a response at the time of publication.
In an FAQ for customers, the company said: “We do not believe your Wonga account password was compromised and believe your account should be secure, however if you are concerned you should change your account password. We also recommend that you look out for any unusual activity across any bank accounts and online portals.”
The company also advised customers to contact their banks to alert them to the fact they may have been affected by the breach and ask for extra attention to be paid to their accounts in case of any suspicious activity.
With a reported 245,000 potentially affected UK individuals – as well as another 25,000 in Poland – this could be the largest ever data breach affecting a UK financial institution. Its magnitude is apparently greater than the TalkTalk hack, which triggered the biggest fine ever issued by the Information Commissioner’s Office (ICO), by nearly 100,000 people.
IT Pro contacted the ICO to see if it is investigating the Wonga breach, but hadn’t received a response at the time of publication.
The security industry reacts
Wonga has been praised for its apparent quick reaction to the breach and rapid notification of customers, but some questioned the nature of the company’s response.
Marc Agnew, vice president of ViaSat Europe, said: “Reacting to an attack appropriately is vital; from isolating and identifying the origin, to taking stock of what has been stolen or affected and making sure those who have been put at risk are notified and protected as soon as possible.
“By the looks of it, Wonga’s customers were alerted in a timely manner and should be well informed enough to take action. This is all Wonga can do at this stage, but it will be interesting to see what happens next and how serious an attack this turns out to be.”
Gavin Millard, technical director EMEA of Tenable Network Security, questioned one piece of advice given by Wonga to its customers.
“Whilst Wonga’s post-breach FAQ states they ‘don’t believe your Wonga account password was compromised’, I would strongly advise changing this password wherever it has been reused,” Millard said.
“A favourite trick by scam artists is to use the data swiped to build up trust and credibility with a target to then request further information they don’t have, so customers should be extra careful dealing with unsolicited calls irrelevant of who they claim to be,” he added.
Those concerned they may have been affected by the breach can get more information from Wonga’s Incident FAQ, which can be found here.