Payday loan company Wonga breached – what you need to know
By Paul Ducklin, Sophos
April 10, 2017
loan company Wonga has just announced a data breach.
personal information of approximately 250,000 customers in the UK and
25,000 in Poland was plundered.
According to reports, personal information of approximately 250,000 customers in the UK and 25,000 in Poland was plundered.
Companies like Wonga are generally referred to as “payday loan providers” because customers typically borrow small amounts at high interest rates for short periods, for example to cover an unexpected expense until payday.
Despite the short-term nature of payday loans, you still need to hand over plenty of personally identifiable information, as with any account you open, including your name, address, phone number, bank account number and credit card details.
And, as with any company that operates online these days, you need to create an online account, too, which means coming up with a strong and unique password for that account.
Wonga has creditably put a very visible notice on the main page of its website, linking through to an FAQ page:
If you’ve ever used Wonga, we recommend reading the FAQ even if you didn’t receive an email from the company, just so you’re aware of what is known so far.
If you were one of the unlucky customers whose data was stolen, the silver lining is that the crooks only seem to have got at a subset of all the data Wonga knows about you:
As galling as it is to have this data disclosed by someone else, none of the items above are quite enough on their own for a crook to defraud you directly.
For example, in the UK, your address is effectively a matter of public record thanks to the electoral register, and many companies and sole traders openly publish their bank account numbers on every invoice to make it easy to get paid.
But stolen databases like this one are nevertheless valuable to cybercrooks, because having all those data points conveniently collected together is gold dust for scammers and social engineers.
It makes it easier for someone with the gift of the gab to convince your bank, your employer or your friends that they know you really well, or that they are acting on your behalf, or even that they are you.
Worse still, if you chose your password unwisely, for example by basing it on information associated with the account so that the password was easier to remember, it’s now easier for cybercrooks to guess.
(Wonga seems pretty certain that no password-specific data was stolen outright, whether encrypted or not.)
What to do?
While you’re about it, change your other online passwords too, after watching our video on How to Pick a Proper Password
In Wonga’s words, “We will be alerting financial institutions about this issue and any individuals impacted as soon as possible, but we recommend that you also contact your bank and ask them to look out for any suspicious activity.”
Hang up the phone, as you would with a technical support scammer (or delete the email, as you would with unsolicited attachments) and contact Wonga directly using contact details you figured out for yourself.
In Wonga’s words, “Beware of scammers or unusual online activity. Be cautious of anyone who calls you and asks you to disclose any personal information regardless of where they say they are from. If this happens, we recommend that you hang up.”
As we like to say here on Naked Security, if in doubt, don’t give it out.