Bring on GDPR. Wonga blunders in data breach - bank details lost?
Bring on GDPR. Wonga blunders in data breach - bank details lost?

Unsurprisingly, Wonga customers have been told to change their passwords after the payday loan firm admitted it had suffered a major data breach affecting over a quarter of a million of its customers.

In a statement issued by the firm, it said that it believed that there may have been illegal and unauthorised access to the personal data of some of its customers. It added that it was “urgently working to establish further details and contacting those who we know have been impacted”.

"We are working closely with authorities and we are in the process of informing affected customers. We sincerely apologise for the inconvenience caused,” it added.

So far, the type of information that has been accessed included names, e-mail addresses, home addresses, phone numbers, the last four digits of a customer's card number and bank account numbers and sort codes.

The loan firm said it did not believe account passwords were compromised, but added that concerned users should change password. It also recommended that users should look out for any unusual activity across any bank accounts and online portals.

Wonga has informed the Information Commissioner's Office and the Financial Conduct Authority about the breach.

According to reports by the Guardian, Wonga only became aware of a problem last week, but it wasn't until Friday that it realised data could be accessed externally and only started to contact customers on Saturday. Affected customers are located both in the UK and Poland.

Richard Henderson, global security strategist at Absolute, told SC Media UK that it highlights yet another reason GDPR can't come quickly enough. 

“With so many brands being breached so frequently, consumers need more stringent controls and protection in terms of detection and notification so that organisations start to take this threat seriously,” he said.

“With enforcement just over a year away, it really is disappointing to see organisations continuing to fail.  These regulations will hopefully see security efforts tightened everywhere to ensure that every vulnerability is locked down, businesses have full insight into who holds their sensitive data and that it is protected no matter where it resides.”

Ross Brewer, vice president and managing director EMEA at LogRhythm, said that the worrying part of the breach is the type of data that is thought to have been taken. 

“It's become relatively common for hackers to get their hands on names, email addresses and phone numbers, but, in this case, bank details are also believed to have been stolen. For 250,000 people, this will be a big problem. Hackers use information they steal to build profiles of their victims so that they can access money or more confidential data; the more information they have, the easier it is,” he said.

Dan Panesar, VP EMEA at Certes Networks, told SC Media UK that the problem lies in the entire industry's approach to cyber-security. 

“There is an inherent flaw in the current ‘protect', ‘detect', ‘react' model. It may work within the confines of current regulatory requirements, but once a hacker bypasses a network's outer perimeter they are free to move uninhibited across the network, accessing a jackpot of sensitive data and wreaking havoc,” he said.

“There is a crucial step missing – once a hacker gains access to a network, the threat they pose must be contained. By applying a zero-trust strategy using cryptographic segmentation to ensure a hacker cannot roam freely across the network, businesses can significantly limit the impact of an attack or breach,” he added.

“With up to 270,000 consumers affected, cyber-security professionals have a duty to act, changing the mind-set within the industry to develop a better security model, one that is equipped to deal with the threat posed by the modern-day hacker.”