Weekly podcast: Wonga, prisoners and Agas

This week we discuss a data breach that may have compromised the personal information of more than 250,000 Wonga customers, the enterprising cyber crimes of four Ohio prisoners, and a series of security flaws that could allow anyone to control your Aga.

Hello and welcome to the IT Governance podcast for Friday, 14 April 2017. Here are this week’s stories.

More than 250,000 customers of high-street usurer Wonga have been informed that their personal data may have been illegally accessed. The controversial payday lender – which quotes an eye-watering representative APR of 1,509% on its homepage – said that the data breach may have affected customers’ email and postal addresses, phone numbers, bank account numbers and sort codes, and the last four digits of their bank cards.

Wonga notes that, while it “operates to the highest security standards, [cyber attacks] are unfortunately increasingly sophisticated.” It has apologised for the incident and the “inconvenience and concern” it has caused, but believes customers’ accounts are secure and that they “do not need to take any action”.

The Financial Conduct Authority and the Information Commissioner’s Office have been informed.

Despite recent attempts by Wonga to improve its poor reputation, the company’s somewhat chequered history will be at the forefront of many customers’ minds as they mull over the impact of this incident.

In 2014, the FCA ordered Wonga to pay more than £2.6 million in compensation after it threatened some 45,000 customers with letters from fake law firms.

The same year, Wonga was forced to write off £220 million of loans to 375,000 borrowers after the FCA found they should never have been lent to in the first place as they had no hope of repaying the loans.

And in 2012, the Office of Fair Trading criticised Wonga after it emerged that it had sent letters to customers accusing them of committing fraud.

We are, it should go without saying, not in the habit of applauding the actions of criminals here at IT Governance, but I couldn’t help but be amused by a story I read on Gizmodo this week.

Four prisoners at the Marion Correctional Institution in Ohio built a couple of computers from parts they’d collected from a rehabilitation programme that employed offenders to disassemble old hard drives for recycling, hid them in a ceiling, connected them to the Ohio Department of Rehabilitation and Correction (ODRC)’s network, and used them to commit more crimes.

According to a report by Ohio’s Attorney General, forensic analysis of the two hard drives found that the inmates had downloaded “articles about making home-made drugs, plastics explosives and credit cards”. They also contained a veritable arsenal of hacking tools, including “password-cracking tools, virtual private network tools, network enumeration tools, hand-crafted software, numerous proxy tools, and other software used for various types of malicious activity.”

Unsurprisingly, analysis “also revealed that malicious activity had been occurring within the ODRC network” and that the computers had been used, among other things, to search inmates’ personal information and use it to successfully apply for five credit cards.”

The inmates were separated and moved to separate prisons.

State prisons spokeswoman JoeEllen Smith said: “We will thoroughly review the reports and take any additional steps necessary to prevent these types of things from happening again. It is of critical importance that we provide necessary safeguards in regards to the use of technology while still providing opportunities for offenders to participate in meaningful and rehabilitative programming.”

Internet of Things time again – I’m almost persuaded to make this a regular feature. Ken Munro of security consultants Pen Test Partners blogged this week about a number of security flaws he’d found in the iTotal Control system that lets Aga owners control their ovens via a mobile app – Aga owners and anyone else.

According to Munro: “All you have to do is simply send a text message to the Aga. [He] didn’t, but it would be trivial for less ethical culinary threat actors to do so. You probably know it takes hours for an Aga to heat up. Switch it off, annoy the hell out of people.“

Munro says that attempting to contact Aga about the issues was “a train wreck” – whoever runs the company’s Twitter account even blocked him after he tweeted them about the issue. The BBC had better luck getting through, though, eliciting the statement:

“Aga Rangemaster operates its Aga TC phone app via a third party service provider. Security and account registration also involves our [machine to machine] provider. We take such issues seriously and have raised them immediately with our service providers so that we can answer in detail the points raised.”

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

And don’t forget that IT Governance’s April book of the month is our bestselling GDPR pocket guide – the ideal resource for anyone wanting a clear primer on the principles of data protection and their new obligations under the General Data Protection Regulation. Save 10% if you order by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.