Payday loan company Wonga suffered a data breach affecting up to 245,000 customers in the UK. According to the BBC, another 25,000 customers in Poland could also be affected.
A notification on Wonga’s UK website currently warns of “unlawful and unauthorized access to limited personal data” and states that affected customers have been notified by email of the breach.
According to an FAQ page on its website, the types of personal data that may have been compromised include names, email addresses, home addresses, phone numbers, the last four digits of credit card numbers (but not whole number) and / or bank account numbers and sort codes.
He says he doesn’t believe passwords for customers’ Wonga accounts have been compromised, but suggests that affected users change their passwords anyway.
Wonga is warning affected customers to be “very vigilant” and alert their bank to the potential risk – although he says he will also contact financial institutions about the breach.
Since the last four digits of bank cards can be used as part of the online account login process, there is a potential risk that the hacked data could be used to attempt to log into customers’ bank accounts.
We have reached out to Wonga with questions and will update this story with any answers. Update: In a statement, a company spokesperson told us: “Wonga is urgently investigating illegal and unauthorized access to personal data of some of its customers in the UK and Poland. We are working closely with the authorities and we are in the process of informing the customers concerned. We sincerely apologize for the inconvenience caused. ”
There are no details of how the breach occurred at this point, with Wonga saying on his website that he was “urgently working to establish more details” and making a generic statement about the rise of “increasingly sophisticated” cyber attacks.
According to The Guardian, the company became aware of a problem last week, but did not realize until Friday that the data could be viewed from outside, and did not begin contacting affected customers until Saturday. UK data protection regulator ICO has apparently been made aware of the breach – although it is not known when. An ICO spokesperson did not answer the question, providing instead this statement: “All organizations have a responsibility to protect the personal information of customers. When we find that this has not happened, we can investigate and take enforcement action. “
New EU data breach rules that come into effect in May 2018 will require businesses to promptly (within 72 hours) notify data protection authorities of data breaches involving financial information – with fines up to € 10 million or 2% of worldwide revenue for compliance breaches.
This is by no means the first time that Wonga has made headlines. In 2014, the company had to write down $ 340 million in overdue loans, following an investigation by the UK Competition and Markets Authority into its lending practices. He was also fined by the regulator for sending bogus letters from lawyers to late-paying clients.
Although Wonga attracted substantial technology investment for a real-time automated decision-making platform for affordability checks, it ended up canceling loans for 330,000 customers and waiving interest and fees for 45,000. others – raising questions about the efficiency of its algorithms.
The tightening of criteria on short-term lending by the UK financial regulator ultimately reduced the size of Wonga’s business, which saw losses double in 2015 – to £ 80.2million.