Wonga data breach puts up to 245,000 UK current and former customers at risk

Bank account details amongst the personal information stolen.

Wonga data breach puts up to 245,000 UK current and former customers at risk

Controversial short-term loan firm Wonga has some bad news for its current and former customers:

We believe there may have been illegal and unauthorised access to the personal data of some of our customers.

We are urgently working to establish further details and contacting those who we know have been impacted. The information may have included one or more of the following: name, e-mail address, home address, phone number, the last four digits of your card number (but not the whole number) and/or your bank account number and sort code.

Sign up to our free newsletter.
Security news, advice, and tips.

We do not believe your Wonga account password was compromised and believe your account should be secure, however if you are concerned you should change your account password. We also recommend that you look out for any unusual activity across any bank accounts and online portals.

As The Guardian reports, current and former customers in the UK and Poland are thought to have been impacted by the security breach – a total of some 270,000 individuals, including 245,000 in the UK.

If you are one of those affected, my advice is to be very wary of unsolicited phone calls and emails that might be from scammers attempting to exploit the information. You would also be wise to keep a close eye on your finances for any unexpected transactions.

Wonga hasn’t yet shared details of how hackers might have accessed such sensitive information, but its website is surely high in the list of likely candidates.

That, after all, is how UK telecoms provider TalkTalk suffered a high profile hack in October 2015 through an elementary SQL injection attack.

Wonga has previously claimed that its website is “extremely secure”.

Wonga secure website

Our website is extremely secure. We recognise the need for appropriate protection and management of the personal and financial information you share with us. We protect that information using secure socket layer (SSL) encryption technology and we store data in encrypted form on computers and control access via secure web pages. We employ firewalls and other security technologies to protect our servers from external attack.

Our security systems meet or exceed industry standards and we are constantly monitoring internet developments to ensure our systems evolve as required. We also test our systems regularly to make sure our security mechanisms are up to date in line with our regulatory obligations.

Of course that reassuring text was written by Wonga before it discovered that it had suffered a data breach that had potentially exposed details of a quarter of a million former and current customers.

I guess in due course it will be all too clear whether they should have felt so confident.

I, for one, will be watching with high interest.

Update: We discuss the Wonga data breach more in this edition of the “Smashing Security” podcast.

Smashing Security #016: 'Wonga wronga'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “Wonga data breach puts up to 245,000 UK current and former customers at risk”

  1. Mike

    Stealing the financial details of people that in general are suffering financially somehow is probably not the most lucrative. That said, how remarkable.

  2. graphicequaliser

    One can see the nature of the security notice they have on their site – worded in such a way as to need no foreseeable updates. For example, "We also test our systems regularly" does not describe a frequency. A publicly available monthly security check bulletin on their website would be a better solution.

  3. furriephillips
  4. Ilsec

    "Stealing the financial details of people that in general are suffering financially somehow is probably not the most lucrative."
    Those people are highly corruptible. Find out where they work and if that's 'interesting' offer them 'help' with their debts. There's your insider threat.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.