Another day, another data breach

Payday loan company Wonga has been hacked. And hacked pretty badly.

If you are one of the 245,000 customers whose data has been compromised, you may be vulnerable to further attacks.

It’s one thing for hackers to steal phone numbers, email addresses and even hold you to ransom as we well know from the spate of Ransomware attacks recently. But the hackers that hit Wonga may have trumped that by stealing the bank details and personal financial information of nearly a quarter of a million people.

Wonga’s email to customers said the data stolen may include names, email addresses, home addresses, phone numbers, the last four digits of their card number, bank account numbers and sort codes.

It says account passwords have not been breached and therefore people’s accounts should be safe from being accessed. However, the possession of bank account details and other identifying information is a delight for hackers.

Wonga commented that it works to the ‘highest security standards’, though its spokesman did not elaborate on how the data was accessed or if Wonga users’ passwords are encrypted.

If you’re a Wonga customer, you’re probably thinking: “what shall I do?”

This breach has potentially given criminals new, fresh information about yourself that you wouldn’t want them to know. But of course, that’s the data they wish to exploit for financial gain. Immediately I’d recommend you watch your bank accounts with an eagle eye. Any small transactions that are unfamiliar could be a build up to a large transaction, so working closely with your bank is important to identifying any intrusive behaviour.

Another immediate thing to do is change your password – though Wonga have articulated that passwords were not stolen, it’s still sensible to do so just as a precautionary measure to rule out any further disruption.

And importantly, I bet you’re also asking the question: will Wonga be punished for this breach?

Details have been passed to the Information Commissioner’s Office (ICO), which enforces data protection rules, as well as the Financial Conduct Authority (FCA), the financial regulator.

The ICO said: “All organisations have a responsibility to keep customers’ personal information secure. Where we find this has not happened, we can investigate and may take enforcement action.” The watchdog has the power to fine companies up to £500,000.

If this were to happen as of June 2018, Wonga would find itself in a more serious situation. As GDPR (General Data Protection Regulation) comes into place, companies that do not comply with data protection rules will be charged €20 million or 4% of their turnover for the year – whichever is greater. GDPR is a new compliance law that will affect all businesses. TSG will shortly be hosting a series of webinars that will break down GDPR, and taking a GDPR roadshow across the UK. Watch this space for your chance to attend and find out how to prepare for this incoming legislation.

The Wonga hack is just another example of how easily large organisations can be hacked, and the damage it can do to customers and brand reputation – not to mention all the legalities involved in something that you thought you were protected against.

It’s important to highlight that it’s not just large organisations that are victims of data hacks. In fact, most hacks are targeted at small and medium businesses, usually resulting from an employee clicking a malevolent link in an email. There’s an educational side of cyber security which companies need to embrace, small or large, and having the effective defences in place to ensure your business will never be taken down by hackers.

We’re running a series of Sophos Intercept X cyber security webinars to show you exactly how you can protect your business from the evil, malicious side of tech. Join now before your business is potentially harmed beyond repair.