Payday loan company Wonga has suffered a data breach that may have affected up to 270,000 customers’ personal data – including names, addresses, phone numbers, and financial information such as account numbers, sort codes and the last four digits of customers’ card numbers.
This is “one of the biggest” breaches of financial information in the UK, according to Professor Alan Woodward, a cyber security expert at the University of Surrey.
Initial reports suggest that it will be more extensive than TalkTalk’s 2015 data breach, which led to the company receiving a record fine from the Information Commissioner’s Office. That breach affected 157,000 people, although less than 16,000 of them had bank details compromised.
Who is affected?
The breach has affected both current and former customers whose details Wonga has on record. In total, up to 245,000 customers in the UK have had information compromised, as well as a further 25,000 in Poland.
The company also operates in South Africa, Spain and Germany, but the breach is not believed to have compromised records in any of these countries.
Wonga said it became aware of the breach on 4th April, but at the time it thought no data was involved. Three days later, however, the company began to realise the extent of the attacks and started emailing and texting its customers. It has also set up a help page and phone line for customers to learn more about the breach.
The company believes that customers’ Wonga passwords are unaffected and that their accounts “should be secure”, but that will be little relief to anyone whose bank information has been compromised.
The extent of exposed data – including the last four digits of customers’ bank cards, which some banks use as part of the login process for online banking – means that anyone with this information will be able to access many customers’ bank accounts.
Protect your organisation
Mitigating the risk of data breaches is an essential part of any business’ security strategy. Penetration testing is often a component of this – especially for companies that handle cardholder details. Any company that stores, transmits or processes payment details must perform regular tests in order to comply with the PCI DSS (Payment Card Industry Data Security Standard).
IT Governance offers fixed-priced and bespoke CREST-accredited PCI penetration tests to help organisations meet the requirements of the PCI DSS and better prepare for attacks against their information assets.
Find out more about PCI Compliance Penetration Testing >>