Author Mark Richards

Wonga is the latest in a long line of companies to suffer a ‘data breach.’ Should we now just accept that they are inevitable?

Wonga – the payday lender that has been in the news for all the wrong reasons lately – had some more unwelcome headlines earlier this week when it was revealed they had suffered a data breach which may have affected up to 245,000 customers in the UK.

Wonga said that it was “urgently investigating illegal and unauthorised access to the personal data of some of our customers.” They have begun contacting customers and are offering support through a ‘dedicated phone line,’ but experts are already describing it as “looking like one of the biggest data breaches involving financial information in the UK.”

As far as Wonga’s customers are concerned, that financial information means their names, addresses, phone numbers and full bank account details. In addition, information stolen might also include the last four digits of customers’ bank cards – information that some banks use as part of their log-in processes for online accounts.

Professor Alan Woodward, a cybersecurity expert at the University of Sussex, said that the combination of names, addresses, sort codes and the last four digits of bank cards was particularly worrying for customers. Other breaches in the UK had not seen the fraudsters gain access to those financial details. Yahoo, for example, had to admit to 8 million customers having their accounts breached – but it was e-mails and passwords that were stolen, not bank details.

Wonga’s Reaction

Wonga has made all the right noises. They first suspected the attack last week but did not initially think that any data was involved. As they became aware of the seriousness of the attack they started informing customers by e-mail and text of the data breach. Now they say they are “working closely with the authorities and in the process of informing affected customers.” They have apologised and told their customers that they don’t think information regarding their loan accounts has been stolen – but they have warned customers to be vigilant.

Wonga can certainly expect to be receiving a hefty fine for this security lapse. A spokesman for the Information Commissioner’s Office said,

“All organisations have a responsibility to keep customers’ personal information secure.” He added, “We will investigate and may take enforcement action.”

Coming on top of previous scandals, this is exactly the news Wonga did not want to hear – especially as its losses continue to mount – up to £80.2m in 2015 – as tougher regulation in the short term loans market continues to bite.

Wonga is just the latest…

But Wonga is far from the first company to suffer a data breach. The UK has a long – and definitely not proud – tradition of companies and organisation losing their customers’ information and personal details.

The term ‘data breach’ first came to prominence in 2006 when an unencrypted laptop was stolen from an employee of Nationwide Building Society, potentially putting at risk the personal data of 11 million savers. The Financial Services Authority ultimately fined Nationwide £980,000 for the breach: still, the largest sum ever imposed for data loss in the UK. At the time it was intended as a warning shot to other firms…

Clearly, the Inland Revenue were not paying attention as a year later they lost two CDs containing the records of 25 million child benefit claimants. The records were ‘lost in the post’ (like some many of the cheques sent to the Revenue…) and underlined how vulnerable data is to simple human error. There was never any suggestion that the password-protected discs had fallen into the wrong hands: but then the Inland Revenue would be very unlikely to admit to paying a ransom demand…

Where the Revenue led, others were swift to follow. Brighton and Sussex NHS Trust was fined £325,000 in 2010 after sensitive data regarding thousands of patients was discovered on hard drives sold on eBay. Instead of cleaning and destroying 22 hard drives, the contractor decided to sell them online.

There’s also the danger of the insider attack. In 2014 an employee of supermarket group Morrison’s published details of the firm’s entire workforce – all 100,000 people – online. While someone was ultimately arrested, a group of employees later launched legal action against Morrison’s.

The same year Staffordshire University revived the ‘lost laptop’ theme, losing details of 125,000 students and applicants. The holiday firm Think W3 suffered an attack by a hacker and lost over a million credit and debit card records in what the ICO described as “a staggering lapse.” They were duly slapped over the wrist to the tune of £150,000.

More recently, Moonpig, Talk Talk, Tesco Bank and Sports Direct have all made the headlines for losing customers’ confidential details in one way or another.

Could the data breach effect us all

Could a data breach affect all of us?

It’s tempting to think that data breaches involve ace hackers. Teenage wonder-kids surrounded by Coke cans and pizza boxes, sitting alone in dark rooms at 3 am, the only light coming from a dozen computer screens…

As we have seen though, simple stupidity and human error can be just as important – and just as dangerous for customers, patients or students, or whichever group of people is the latest to have its data stolen.

One thing is for certain: data breaches are not going to go away. However good a firm’s security there will always be a loophole or simple human carelessness. The evidence and the statistics suggest that sooner or later we could all be a victim of a data breach.

So if you suspect that your data has been stolen, what should you do?

  • Let your bank know and warn them about what you think has happened
  • Place a stop on your cards: it may be inconvenient in the short term, but it is not as inconvenient as someone using your card to go on holiday
  • Be extra vigilant regarding scammers and phishing e-mails. If someone appears to know a little information, it is very tempting to assume that they are who they are claiming to be.

And as we wrote in a recent article, remember that ‘Rover’ followed by your birthday is not an adequate password. If you must use your dog’s name, try calling it 45Tj&Klcg5#$RNu7£. It may not roll off the tongue when you throw a stick and shout “fetch!” But it will confuse the hackers…