‘Biggest ever’ UK data breach uncoveredTuesday, April 11, 2017
Troubled payday loan lender admits to widening security breach involving quarter of a million personal data records
Beleaguered payday loans firm Wonga has been forced to admit to a widening data breach of customer records. The breach is thought to have affected up to 245,000 customers in the UK, and a further 25,000 in Poland, and the company is “Urgently working to establish further details and contacting those who we know have been impacted”, according to a statement.
The company said that information may have included one or more of the following: name, e-mail address, home address, phone number, the last four digits of card numbers (but not the whole number) and/or bank account numbers and sort codes.
Ilia Kolochenko, CEO of High-Tech Bridge commented: “Unless full technical details of the incident are disclosed it would be premature to make any definitive conclusions. It could be insider activity, which is almost impossible to prevent in a cost-effective manner today, or a third-party supplier's breach causing the incident.
“However, Wonga's reaction is laudable - transparency, early notification and technical assistance - are very important for potential victims. It also gives a certain assurance to current customers, not affected by the breach, that their privacy and security are important to Wonga.
“Speaking about this particular breach in general - I think it would be fair to say that this is the biggest *known* data breach incident in UK, as many critical incidents are never discovered or never publicly disclosed.”
Prof Alan Woodward, a cybersecurity expert at the University of Surrey, agreed, telling the BBC it was "looking like one of the biggest" data breaches in the UK involving financial information. The company had been trying to rebuild a credible brand after the financial regulator found in late 2014 it had made loans to customers who could not afford to repay them and further to have chased bad debts with letters from a fake law firm.
Wonga’s statement leaves room for speculation as to the precise vector and even origination of the attack, initially going for the generic “illegal and unauthorised access” to personal data, but closing out an FAQ post by stating: “Cyber attacks are, unfortunately, on the rise. While Wonga operates to the highest security standards, these illegal attacks are unfortunately increasingly sophisticated.” A statement that appears to hint at an external attacker, but doesn’t rule out an internal compromise.
Whatever the details of the attack, the sheer volume of personal financial data thought to be compromised puts this incident firmly on the 2017 data breach map, although it does pale into insignificance when compared to the biggest breaches of 2016, which topped out at 2.76 billion personal data records. That left a mere 0.6 of the online population (purely statistically speaking) still secure at the end of last year.
Wonga is not alone, of course, joining a long line of companies including Tesco Bank, which was forced to suspend transactions in November when £2.5m was stolen from customer accounts, mobile operator Three, and TalkTalk. The latter was fined £400,000 by the ICO after the watchdog found that “basic steps” could have mitigated the effects of a cyberattack.
The breach does emphasise the challenge that CISOs face in 13 months when GDPR comes into force across the EU. Although Wonga appears to be taking steps to comply with the spirit of the new legislation, the new fine structure will heavily penalise infractions, such as breach notifications within 72 hours to avoid maximum penalties of up to 4 per cent of worldwide annual turnover for the most serious failings.
It’s certainly going to be a busy 13 months, whether you’re a payday loan company or any other personal data processing entity...