As many as 270,000 customers may have been affected after a significant data breach at Wonga, one of the UK’s largest and best known payday lenders.

The information stolen includes names, addresses and phone numbers; and more seriously, also includes bank account numbers, sort codes and the last four digits of bank card references.

Up to 245,000 of the affected customers are said to be based in the UK, while the remaining 25,000 live in Poland. The company says it has started making contact with those affected, and that anyone who has not yet been contacted is welcome to call the dedicated helpline it has set up.

In a statement, Wonga said:

“We believe there may have been illegal and unauthorised access to the personal data of some of our customers.

“We are urgently working to establish further details and contacting those who we know have been impacted. The information may have included one or more of the following: name, e-mail address, home address, phone number, the last four digits of your card number (but not the whole number) and/or your bank account number and sort code.

“We do not believe your Wonga account password was compromised and believe your account should be secure, however if you are concerned you should change your account password. We also recommend that you look out for any unusual activity across any bank accounts and online portals.”

The company advised customers to contact their bank and to ask them to look for any suspicious activity on their accounts. It also warned that its customers may now be targeted by scammers and fraudsters who have managed to obtain their personal data.

The Frequently Asked Questions section of Wonga’s webpage on the subject also adds:

“We take issues of customer data and security extremely seriously. Cyberattacks are, unfortunately, on the rise. While Wonga operates to the highest security standards, these illegal attacks are unfortunately increasingly sophisticated. We sincerely apologise for the inconvenience and concern this has caused.”

In a speech in September 2016, Nausicaa Delfas, Director of Specialist Supervision at the Financial Conduct Authority (FCA), warned that even the smallest financial services firms must take the subject of cyber security seriously. She revealed that the number of ransomware attacks rose by 35% in just one year between 2014 and 2015. The number of cyber-attacks of all types being reported to the FCA by authorised firms is also rising alarmingly, from just five in 2014 to 27 in 2015 and to 75 in the first nine months of 2016 alone.

In her speech. Ms Delfas warned firms to take note of the following:

• Firms need to have a ‘security culture’ – everyone from the board to senior management to supervisors and ordinary employees must take the issue of cyber security seriously
• Firms should have ‘good governance’ relating to cyber security – senior management must take responsibility for security in their business function, and boards of directors must challenge management to verify that appropriate arrangements are in place
• Firms must identify what their key assets are, and how they might protect these
All staff need to be trained to recognise suspicious activity, such as phishing emails
• Staff with access to important data should be security screened
• Firms need to have adequate detection capabilities, so that they know straight away if they have been attacked
• Firms must have effective recovery and response procedures in the form of a detailed business continuity plan, which explains what they will do in the event of a security breach to ensure business operations can continue
• Firms need to test their data security measures on a regular basis
• Significant data breaches must be reported to the FCA, as part of firms’ Principle 11 obligations to disclose to the regulators anything of which they would reasonably expect notice

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware the facts, circumstances or legal position may change after publication of the article.