Wonga, the payday loan firm, has been hit with a data breach which may have had an impact on up to 245,000 customers in the UK. According to the firm, it is “urgently investigating illegal and unauthorised access to the personal data of some of its customers”.
The firm began getting in touch with borrowers on Saturday, also extending support through a phone line dedicated to the cause. The information stolen includes names, addresses, phone numbers, bank account numbers and sort codes.
Prof Alan Woodward, a cybersecurity expert at the University of Surrey, said it was “looking like one of the biggest” data breaches in the UK involving financial information. The scope of the information stolen might also include the last four digits of customers’ bank cards, which is used by some banks as part of the login process for online accounts.
The data breach also hit a further 25,000 customers in Poland. The firm released a statement saying:
We are working closely with authorities and we are in the process of informing affected customers. We sincerely apologise for the inconvenience caused.
According to Wonga, the attackers have not gained access to users’ loan accounts, but has issued a vigilance warning nonetheless. The lender, which is a provider of short-term loans, said that the breach was brought to their notice last week, thinking at the time that no data was involved. By Friday, however, it became clear that the attacks were more serious, after which it started informing customers on Saturday by email and text. The firm’s website showed no outward signs of a breach, carrying its usual information on how to apply for its loans. The police, the Information Commissioner’s Office (ICO) and the FCA have been alerted.
According to Prof Woodward, the combination of names, addresses, sort codes and last four digits of bank cards was “particularly worrying” for customers, adding that other breaches in the UK had not tended to gain access to those financial details.
Just last year, Talk Talk was slapped with a record fine for a data breach, but of the nearly 157,000 customers affected, most did not have their bank account details stolen. A data breach also occurred at Yahoo last year, affecting nearly eight million customers in the UK, but it was focused on email addresses and passwords.
A spokeswoman for the Information Commissioner’s Office said:
All organisations have a responsibility to keep customers’ personal information secure. Where we find this has not happened, we can investigate and may take enforcement action.
The data breach comes at a particularly precarious moment for Wonga, having been mired in several scandals and attempting to rebuild its reputation.
Back in 2014, UK financial regulators found that the firm had made loans to customers who could not afford to repay them, and pursued debts with letters from a fake law firm. In 2015, the firm experienced a doubling of losses with tougher regulation in the industry. Its pre-tax losses grew to £80.2 million that year, up from £38.1 million in 2014.