Controversial short-term loan firm Wonga has some bad news for its current and former customers:
We believe there may have been illegal and unauthorised access to the personal data of some of our customers.
We are urgently working to establish further details and contacting those who we know have been impacted. The information may have included one or more of the following: name, e-mail address, home address, phone number, the last four digits of your card number (but not the whole number) and/or your bank account number and sort code.
We do not believe your Wonga account password was compromised and believe your account should be secure, however if you are concerned you should change your account password. We also recommend that you look out for any unusual activity across any bank accounts and online portals.
As The Guardian reports, current and former customers in the UK and Poland are thought to have been impacted by the security breach – a total of some 270,000 individuals, including 245,000 in the UK.
If you are one of those affected, my advice is to be very wary of unsolicited phone calls and emails that might be from scammers attempting to exploit the information. You would also be wise to keep a close eye on your finances for any unexpected transactions.
Wonga hasn’t yet shared details of how hackers might have accessed such sensitive information, but its website is surely high in the list of likely candidates.
That, after all, is how UK telecoms provider TalkTalk suffered a high profile hack in October 2015 through an elementary SQL injection attack.
Wonga has previously claimed that its website is “extremely secure”.
Our website is extremely secure. We recognise the need for appropriate protection and management of the personal and financial information you share with us. We protect that information using secure socket layer (SSL) encryption technology and we store data in encrypted form on computers and control access via secure web pages. We employ firewalls and other security technologies to protect our servers from external attack.
Our security systems meet or exceed industry standards and we are constantly monitoring internet developments to ensure our systems evolve as required. We also test our systems regularly to make sure our security mechanisms are up to date in line with our regulatory obligations.
Of course that reassuring text was written by Wonga before it discovered that it had suffered a data breach that had potentially exposed details of a quarter of a million former and current customers.
I guess in due course it will be all too clear whether they should have felt so confident.
I, for one, will be watching with high interest.
Update: We discuss the Wonga data breach more in this edition of the “Smashing Security” podcast.
Smashing Security #016: 'Wonga wronga'
Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...
Stealing the financial details of people that in general are suffering financially somehow is probably not the most lucrative. That said, how remarkable.
One can see the nature of the security notice they have on their site – worded in such a way as to need no foreseeable updates. For example, "We also test our systems regularly" does not describe a frequency. A publicly available monthly security check bulletin on their website would be a better solution.
Puntastic.
"Stealing the financial details of people that in general are suffering financially somehow is probably not the most lucrative."
Those people are highly corruptible. Find out where they work and if that's 'interesting' offer them 'help' with their debts. There's your insider threat.