Payday lender Wonga announced this week it had suffered a data breach which could affect 250,000 of its customers in the UK and a further 25,000 in Poland.
Information reported to have been stolen includes names, addresses, phone numbers, email addresses and bank account details.
This has left those affected with a host of potential problems. With valuable private data stolen, victims are now exposed to “additional attacks, either by the initial attackers or other criminals to whom they sell the compromised data”, claims Brian Laing, VP Product Development at Lastline. He adds, “they [attackers] merge data from multiple sources, building dossiers on potential victims, including spear phishing targets inside corporations. Every breach is a reminder of the importance of strong authentication measures in both personal and professional devices, networks, and web applications.”
“The blurring of personal and professional use of enterprise assets such as laptops underscores the criticality of protecting organizations from the network core to the outer edges against advanced persistent threats and evasive malware that could be introduced because of an infected personal device targeted as a result of a prior data breach, such as the Wonga breach”, and he warns that data breaches provide a distribution hub for malware for years to come.
Wonga have said they are “urgently investigating illegal and unauthorised access” to the personal data but have not disclosed where the breach had taken place.
A help page has been sent up by the payday lender for affected customers which advises the following:
- Alert their bank and ask them to look out for any suspicious activity. Wonga will also be informing financial institutions about the breach
- Watch out for scammers or unusual online activity. Customers are told to be cautious about cold calls and emails asking for personal information
- Contact the Wonga helpline on 0207 138 8330 for further questions
The advice given by the FAQ appears to be contradictory, however, as Wonga is offering assurances by saying “we believe that your account is secure and you do not need to take any action” but also says “if you are concerned you should change your account password.
Security researcher, Lee Munson at Comparitech has picked up on Wonga’s apparent confusion by saying “the company’s own FAQ says it believes that all customer accounts are secure and that no action is required while, at the same time, suggesting that personal and banking information may have been stolen. For a quarter of a million Wonga customers paying upwards of 1,500% interest on their short-term loans, the APR may be the least of their concerns right now. Given the confusion, all Wonga customers should take some basic post-hack precautions, such as changing passwords, checking credit reports and being on the lookout for suspicious emails that appear to come from the company. For Wonga, this event should serve as a stark reminder that incident response is a vitally important part of dealing with a breach and several lessons need to be learned from this incident.”
Gavin Millard, EMEA Technical Director at Tenable Network Security agrees that those affected are now targets from attackers and must take severe precaution. “A favourite trick by scam artists is to use the data swiped to build up trust and credibility with a target to then request further information they don’t have, so customer should be extra careful dealing with unsolicited calls irrelevant of who they claim to be. Whilst Wonga’s post breach FAQ states they “don’t believe your Wonga account password was compromised”, I would strongly advise changing this password wherever it has been reused.