Payday loan company Wonga has issued warnings to over a quarter of a million of its customers regarding a data breach that affected systems this weekend. Although Wonga are yet to confirm how or where this breach occurred, they have issued a statement to clarify their position on the issue.
“Urgently investigating illegal and unauthorised access to personal data”
Data loss or data breach can come in many forms from accidental deletion to theft, as in the case of Royal & Sun Alliance Inc’s breach where a NAS device was stolen.
Wonga’s ambiguity towards the situation at this point will do little to fill consumers with confidence in the organisation and the reputation that they have been working hard to change is unlikely to improve as a result of this.
Wonga have published updated FAQs around the incident and believe that customer accounts are not at risk, however data that is believed to have been lost include
- Email Addresses
- Home Addresses
- Phone Number
- Bank Account
- Sort Code
This information is likely to open these customers up to further risk from external criminal organisations who may now have access to the data. Email addresses open up the risk of ransomware attacks and bank account details could lead to fraudulent activity and financial loss.
Data protection Authorities
Globally, organisations are required to adhere to state legislation in countries they operate in or trade with; these pieces of legislation are policed by organisations such as the Information Commissioners Office in the United Kingdom, whom will be responsible for investigating the Wonga data breach and acting on it accordingly. The result is likely to be a monetary fine with recommendation to improve or change data protection processes in place.
The breach, as far as currently confirmed, also effected Wonga customers in Poland. As part of the European Union, Poland is compliant with the Personal Data Protection Act (PDPA) as well as having their own state legislation. If this breach was to happen next year, when GDPR (The General Data Protection Regulation) has taken effect, Wonga could be facing fines of up to €20million or 4% of its global revenues.
Preventing Data Breach
Data breach caused by cyber threats can be difficult to prevent and with Malware and Phishing scams increasing in intelligence as well as volume, organisations are already fighting an uphill battle. This being said, there are actions that organisations of all sizes can take to improve data protection and reduce the risk of a data breach.
Implement stringent policies around security.
Having clear and concise internal policies around data security will aid in securing data and should these be broken, will aid in identifying the breach and who/what is responsible for causing it. Implementing these policies may also give an insight into any potential risks that an organisation currently has and give an opportunity to resolve these.
Train staff around data protection
Human error is still one of the leading causes of data loss or breach but is one that can be managed and prevented with the correct approach. Educations IT users around data protection policies and best practices can reduce this risk and quickly have a positive effect on the security of a network.
Limit access to sensitive data
By limiting and tracking who is authorised to access data of a sensitive nature, there is an increased onus on each user to ensure they are only using data in the correct way and to ensure they are abiding by policies to keep data secure.
Ensure data leaving site is encrypted
Encryption has been used by organisations for many years and is an effective way of providing an extra layer of security for any data leaving a primary storage facility. By encrypting data that leaves site, only the intended recipient or authorised personnel will be able to unlock and access the data. A piece of removal hardware could be at risk of theft or loss and if unencrypted sensitive data will be easy to access and steal.
Regularly review data policies
Regularly reviewing data policies such as the lifecycle of data will not only ensure organisations are in line with the most current legislation but will also give further opportunities to enforce policies and update them if any risks are found.