Wonga, the British payday loan firm, suffered a data breach affecting up to 245,000 UK customers over the weekend.
A further 25,000 customers in Poland were also potentially at risk, the BBC reported.
It wasn’t just basic personal information like names, addresses and phone numbers which were stolen but also financial data such as bank account numbers and sort codes with much more serious implications for customers.
The breach appears to be “one of the biggest” involving financial information in the UK, according to professor Alan Woodward, a cybersecurity expert at the University of Surrey.
The company said in a statement today:
Wonga is urgently investigating illegal and unauthorised access to the personal data of some of its customers in the UK and Poland. We are working closely with authorities and we are in the process of informing affected customers. We sincerely apologise for the inconvenience caused.”
The lender became aware of a problem last week but did not realise until Friday that data could be accessed externally.
It alerted the authorities and started to contact borrowers on Saturday to make them aware of the problem.
Passwords had not been compromised, Wonga said, but customers were advised to look out for unusual activity across their accounts.
How did the breach happen?
“From my experience, the most common way to steal information from websites is called SQL Injection,” Marco Essomba, founder of UK-based company iCyber-Security told Verdict.
“Cyber criminals use this method to relay malicious code to a web application and make it execute specific commands to steal data. Although a lot of organizations are putting in place defense mechanisms to protect against such attacks, website injection flaws are still common due to the inherent vulnerabilities of some web applications.”
The State of Technology This Week
Unfortunately, the latest data breach is not the first time Wonga, which offers “short-term, high-cost credit” loans has faced public criticism.
1. Fake legal letters
Wonga was fined £2.6m for sending threatening legal letters from fake law firms to 45,000 customers by the Financial Conduct Authority (FCA) in June 2014.
The FCA said Wonga had been guilty of “unfair and misleading debt collection practices” by creating fake companies to pressure struggling customers into paying their bills.
Wonga apologised and agreed to compensate those affected.
Wonga’s misconduct was very serious because it had the effect of exacerbating an already difficult situation for customers in arrears,” said Clive Adamson, director of supervision at the FCA at the time.
2. “Legal loan sharking”
In October 2014, the FCA ruled that Wonga had lent vast sums of money to people in the full knowledge that they could never afford to pay the company back.
Wonga was forced to write off £220m of loans to 330,000 borrowers because of its failure to check whether they could afford the repayments.
A further 45,000 people who were less than 30 days in arrears as of 2 October 2014 were given the opportunity to repay their loans without interest or charges.
Wonga, which charges high interest rates of up to 5,853 percent a year was accused of “legal loan sharking” by MPs.
“The checks were not sophisticated enough and not strong enough,” Wonga’s chairman Andy Haste said at the time.
3. Misleading TV adverts
In April 2014, the Advertising Standards Authority (ASA) ruled that Wonga’s advert featuring puppets confused the public about the company’s interest rates.
“Whilst we acknowledged that viewers taking out and repaying the loan within the stated time period would not repay 5853 percent of the loan, we were nevertheless concerned that viewers would be left without a clear understanding of how the information in the on-screen text could be applied to a Wonga loan, given the ad’s assertion that the representative APR was not indicative of the cost of the loan,” the ASA said in its judgment at the time.
Just a matter of months later in July, Wonga cancelled all of its adverts featuring puppets after it was deemed inappropriate to appeal to children.
However, after the official announcement that Wonga had axed the campaign, the adverts wee still being promoted via the local Wonga website in Spain.
In Poland, four versions of the advert continued to be broadcast on TV.
“[The] review resulted in the immediate removal of the puppet characters from TV screens in the UK, where Wonga is not currently on air. This work is largely complete with the only remaining instance of their use in Polish television adverts, which will be removed by the end of this month,” said a spokeswoman for Wonga at the time.
4.Taking advantage of students
In 2012, Wonga came under attack from the National Union of Students (NUS), who said the company advertised the short-term loans — with a typical APR of 4,214 percent to cash-strapped students who would lose out.
“Students should think long and hard before choosing payday loans over any other form of borrowing, including government-backed student loans. If students are struggling to make ends meet there is often other support available, and anyone worried about their finances should talk to their students’ union or financial advisers at their university,” the NUS said in a statement at the time.
“Wonga should immediately withdraw this predatory [offer], which contains information that appears to be inaccurate, and is aimed at financially vulnerable young people.”
5. Accounting errors
Wonga discovered that it had miscalculated some 200,000 customers’ balances in April 2014 resulting in them overpaying.
The company responded to criticism saying that the majority overpaid by less than £5, and a larger number underpaid. Those who overpaid were contacted, and the underpaid debt was cancelled, Wonga said.
However, the company admitted its poor accounting practices needed improvement.
Tim Weller, the then Wonga chief executive said the company would “learn from these mistakes,” adding that strengthening internal controls was a priority.