[BreachExchange] Wonga data breach could affect nearly 250, 000 UK customers

Audrey McNeil audrey at riskbasedsecurity.com
Mon Apr 10 18:38:32 EDT 2017


https://www.theguardian.com/business/2017/apr/09/wonga-
data-breach-could-affect-250000-uk-customers

More than a quarter of a million customers of payday loan firm Wonga are
being warned that their personal data may have been stolen in a data breach
at the firm.

The online lender said it was “urgently investigating illegal and
unauthorised access” to the personal data of some of its customers in the
UK and Poland. It is understood that the breach could affect up to 270,000
current and former customers, including 245,000 in the UK. The company
would not disclose where it had taken place.

The lender, which offers loans at interest rates starting at 1,286% a year,
became aware of a problem last week but did not realise until Friday that
data could be accessed externally. It alerted the authorities and started
to contact borrowers on Saturday to make them aware of the problem, and
give details of a dedicated customer services phone line for those affected.

Customers who are thought to have been affected have received a message
from the payday lender telling them: “We believe there may have been
illegal and unauthorised access to some of your personal data on your
Wonga.com account.”

The message said that Wonga was working to establish the full details but
data breached “may have included one or more of the following: name, email
address, home address, phone number, the last four digits of your card
number (but not the whole number) and/or your bank account number and sort
code.”

It went on to say that the lender believed Wonga accounts and passwords had
not been compromised, but customers were advised to look out for unusual
activity across their accounts. In a statement the firm said: “We are
working closely with authorities and we are in the process of informing
affected customers. We sincerely apologise for the inconvenience caused.”

The breach will be a blow to Wonga, which has in recent years attempted to
improve its reputation following a series of controversies. The lender,
which advertised heavily on TV and through football sponsorships, was found
by the financial regulator to have made loans to customers who could not
afford to repay them and to have chased bad debts with letters from a fake
law firm. New directors have replaced the firm’s original founders, a
three-month loan launched alongside the short-term payday loan, and
marketing has been changed to appeal to a better-off audience.

However, it has been hard hit by tougher rules on lending, introduced when
the Financial Conduct Authority (FCA) took on stewardship of the sector.
The latest set of results showed that the firm made a pre-tax loss of
£80.2m in 2015, up from £38.1m the year before.

There was no sign of the breach on the lender’s website, which carried its
usual information on how to apply for its loans. It has alerted the police,
the Information Commissioner’s Office (ICO) and the FCA. The ICO regulates
firms’ use and care of people’s personal details, although financial
services companies are not obliged to inform it of any breach. A
spokesperson for the organisatio said: “All organisations have a
responsibility to keep customers’ personal information secure. Where we
find this has not happened, we can investigate and may take enforcement
action.”

Wonga is the latest in a long line of companies to discover that
information they hold on their customers has been compromised. In November,
Tesco Bank suspended online transactions after £2.5m was stolen from 9,000
customers, while mobile phone operator Three said information from 130,000
users had been compromised when its systems were breached. A cyber attack
on phone company Talk Talk in 2015 resulted in a £400,000 fine from the ICO
after it found the firm “could have been prevented if TalkTalk had taken
basic steps to protect customers’ information”.

On Twitter, some of Wonga’s customers were expressing concern about the
breach and complaining that they were struggling to get onto Wonga’s
website to change their account passwords. One tweeted the @OfficialWonga
feed to say: “Received an email that my details may have been hacked.
Please can you tell me if this is real? Been on hold for ages.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170410/e863cc87/attachment.html>


More information about the BreachExchange mailing list