Upto 245,000 UK customers have had their details stolen in a major data breach at payday loan company, Wonga.
In what is being called one of the worst data breaches ever in the UK, the Wonga breach came into focus on Friday and by Saturday, the notorious lender had started informing customers past and present. Gist of the e-mail was: ‘We believe there may have been illegal and unauthorised access to some of your personal data on your Wonga.com account… this may have included one or more of the following: name, email address, home address, phone number, the last four digits of your card number (but not the whole number) and/or your bank account number and sort code.’
We don’t think they could have sent through a less apologetic email even if they tried. Of the customers affected, there is a mix of those who have paid off their loans as well as ones who are currently repaying them. And while the majority are in the UK, around 25,000 are in Poland.
‘Wonga’s stock with the general public has never been particularly high, but this breach will see it fall even further. It is simply the latest name in a long list of data breach victims that will come to realise that the reputational impact of a breach is more damaging than anything the ICO can do to them, or the cybercriminals themselves for that matter, ‘ said Marc Agnew, Vice President, ViaSat Europe.
‘The stakes are so high that organisations need to treat cyber-attack not only as a threat, but as an inevitability. Organisations must therefore ensure that all customer data is encrypted, not just the passwords and card details. Inadequately protecting customer data can create massive problems for enterprises and consumers alike,’ added Agnew.
As for the Wonga security breach, it is a matter of simple math, really. The maximum that the ICO can fine Wonga is £500,000 and if Wonga have had 245,000 customer details stolen, they will effectively be fined less than £2 per customer. The only hope is that the FCA will step in and fine them for the severity of the data loss. The last time FCA stepped in was 2014 when they fined the Royal Bank of Scotland £56 million for the customer data they lost after a particularly bad cyber attack.
‘This should be a blow to the financial services industry, following on the heels of Tesco Bank breach late last year. However the reality is that it is unlikely to be. Consumers appear to be remarkably unconcerned by data breaches, presumably because they feel that everyone is as bad as everyone else and, as a result, stay put rather than moving to another provider. The feeling that “it won’t happen to me” compounded with the convenience of banking online tends to outweigh the very real risks.
As a result financial institutions, who currently face only trivial fines from the ICO, have little incentive to tighten cyber security. One can only hope that the increased fines that will become available to the ICO when GDPR comes into force next year will prompt banks to act with integrity and increase the security of their services,’ said Jeremy Swinfen-Green, Head of Cyber Security consulting, TEISS.co.uk.
‘The risk to Wonga customers lies in the compromised information being used to launch scams that are not necessarily associated with Wonga. For instance if hackers know your bank account and phone number or email address they may launch attacks aiming to break into your bank account rather than your Wonga account. Wonga customers will need to be very vigilant over the next days and weeks,’ added Swinfen-Green.
General Data Protection Regulation (GDPR) comes into force May 2018.
Amongst other stringent rules relating to the movement of customer data, it will also introduce a fine of roughly 4 percent of annual global turnover of the company whose database is hacked into and customer details stolen. And for financial organisations to take matters of customer security seriously, it will have to hit where it hurts- profit margins. With statistics like the fact that just 4 percent of breached data (from financial institutions) is encrypted makes the situation more dire.
‘Customers that entrust private information to the care of a business should be safe in the knowledge it is kept in a secure manner. Whilst security solutions significantly mitigate the risk of a successful attack, there are also other measures businesses can take in order to provide thorough protection. These measures include running fully updated software, performing regular security audits on their website code and penetration testing their infrastructure. It’s crucial that businesses ensure that all passwords are protected using secure hashing and salting algorithms. The best way for organisations to combat cyber-attacks is by putting in place an effective cyber-security strategy before the company becomes a target.
This is yet another case of a data breach, further underlining the need for regulation. It’s to be hoped that GDPR (General Data Protection Regulation), which comes into force in May 2018, will motivate firms to, firstly, take action to secure the customer data they hold, and secondly, to notify the ICO of breaches in a timely manner,’ said David Emm, principal security researcher at Kaspersky Lab.
This is not Wonga’s first brush with controversy. They have seen profits in a tailspin since 2014. This was off the back of several complains against them for lending to customers who couldn’t afford to repay them and then sending them letters from fake legal firms. The Financial Conduct Authority tightened regulations and introduced a cap on fees and loan per day amounts in 2015. This meant more losses for the likes of Wonga whose annual percentage rate (APR) would regularly top 1509 percent of the amount lent.