This week has seen leading UK payday loan company Wonga suffer a data breach that could affect up to 245,000 customers in the United Kingdom. A statement on the Wonga website says:
“We believe there may have been illegal and unauthorised access to the personal data of some of our customers.
We are urgently working to establish further details and contacting those who we know have been impacted. The information may have included one or more of the following: name, e-mail address, home address, phone number, the last four digits of your card number (but not the whole number) and/or your bank account number and sort code.
We do not believe your Wonga account password was compromised and believe your account should be secure, however if you are concerned you should change your account password. We also recommend that you look out for any unusual activity across any bank accounts and online portals.”
Whilst Wonga has seen its revenues drop in its most recent annual report from £217 million to £77 million, it is still the UK’s biggest payday loan provider and highlights how even large businesses can be vulnerable to such data breaches.
The data breach comes at an interesting time for data security in Europe thanks to forthcoming introduction of the European Union’s General Data Protection Regulations. The new regulations will come into effect in May 2018 and will see the data rights of individuals extended and will require organisations across the European Union (including the UK despite Brexit) to develop clear procedures and policies to adopt appropriate technical and organisational measures to protect personal data.
As well as being much more stringent than the data protection policies currently in place in many EU countries, the penalties under the new General Data Protection Regulations are also generally tougher too, with organisations found in breach of the regulations being subject to fines of up to 4% of their global annual turnover.
The Wonga data breach has led to several leading online security experts to say that the General Data Protection Regulations implementation cannot come soon enough. Speaking to SC Media, Richard Henderson a global security strategist at Absolute said:
“With so many brands being breached so frequently, consumers need more stringent controls and protection in terms of detection and notification so that organisations start to take this threat seriously.
With enforcement just over a year away, it really is disappointing to see organisations continuing to fail. These regulations will hopefully see security efforts tightened everywhere to ensure that every vulnerability is locked down, businesses have full insight into who holds their sensitive data and that it is protected no matter where it resides.”
The Information Commissioner’s Office have made a statement on the Wonga data breach indicating that they will be investigating the matter.
“All organisations have a responsibility to keep customers’ personal information secure. Where we find this has not happened, we can investigate and may take enforcement action.”