[BreachExchange] Credit score builder Loqbox hit by data breach
Destry Winant
destry at riskbasedsecurity.com
Tue Mar 3 10:11:46 EST 2020
https://www.moneysavingexpert.com/news/2020/03/credit-score-builder-loqbox-hit-by-data-breach/
Some customers of credit history-building tool Loqbox have had
personal and financial data compromised after the firm was hit by a
"sophisticated and complex" cyber attack.
Loqbox is a tool which helps those with patchy credit histories build
a credit score by buying a 'digital voucher' – essentially a loan –
and then 'repaying' it by saving a set amount into a Loqbox account
each month.
But Loqbox has now announced that it's been hit by a cyber attack, in
which hackers accessed both customers' personal data – such as
addresses and phone numbers – and, in some cases, their payment
information.
It insists that all funds that customers have paid in are secure and
have not been affected by the hack. It says customers can carry on
logging into their Loqbox accounts in the usual way.
Loqbox says it discovered the attack on 20 February 2020, and has
since contacted all affected customers to tell them what's happened
and offer them advice on how to protect themselves – if you're
affected, we've full safety tips below. We've asked Loqbox how many
customers were affected by the breach, and will update this story when
we hear back.
See our 30+ Ways to Stop Scams guide for information on keeping your data safe.
What is Loqbox?
Loqbox is a tool for those whose credit histories are too limited for
them to take out traditional credit products. Customers choose an
amount between £20 and £200 which they can afford to save each month.
The way it works is you're then given a nominal 'loan' for 12 months'
worth of your chosen amount. In actual fact, no money changes hands
but you are given a Loqbox – a sort of digital voucher – which you
then 'repay' by your chosen amount each month. In practice, this means
you pay into a ring-fenced Lloyds savings account and will then get
all the money you've paid in back at the end of the 12 months – though
you don't earn any interest.
As you're effectively repaying a loan, your monthly payments are
reported to all three credit reference agencies, which Loqbox says
should help build your history. You can also get your savings back
whenever you want penalty-free by 'unlocking' your Loqbox.
At the end of the 12 months – or before if you choose to unlock
earlier – you'll be given the option of opening a new account with one
of Loqbox's partners.
What data has been compromised?
Loqbox says the personal information accessed by the hackers includes
some customers' names, dates of birth, postal addresses and phone
numbers.
In some cases, hackers have also accessed some of the following types
of financial information:
The first six and last four digits of a customer's 16-digit card number.
The customer's card expiry date.
The sort code used by customers to unlock their Loqbox.
Two digits of the bank account number used to make payments to Loqbox.
Loqbox says it's reported the incident to the police and regulatory
authorities, and has taken "further steps" to improve the defences of
its computer system.
I'm affected by the breach – what can I do?
Loqbox says the compromised personal data couldn't be used to access
customers' bank accounts or other accounts on its own.
However, there is a chance the information could be used by criminals
alongside other data to carry out phishing attacks or attempts at
identity fraud, so it's important to stay vigilant.
If you're affected by the data breach, you should take the following
steps to minimise the risk of being hit by fraud (see our 30+ Ways to
Stop Scams guide for full help):
Check your bank or credit card transactions regularly. If you spot any
unfamiliar or unusual activity, make sure you contact your bank
immediately and let it know.
If worried, demand a new card. Check whether your bank or credit card
firm will be routinely replacing cards affected by this breach – but
if not, you can ask for a replacement card anyway.
Beware of 'phishing scams'. Criminals may attempt to use the news of
the data breach as an opportunity to trick people affected into
revealing information. Remember that no bank or any other genuine
organisation will contact you out of the blue to ask for details such
as your PIN or banking password, and beware of clicking on any links
in text messages or emails.
Loqbox has also reiterated that it will never call, text or email
customers asking for their full bank account number or card details.
See if your card provider lets you get payment notifications. Some
card providers, such as American Express, allow you to get
notifications on your phone or tablet every time a payment is made on
your card. This way, you can see instantly when a payment goes out if
it's one you aren't expecting.
More information about the BreachExchange
mailing list