Nearly a quarter of a million UK Wonga customers may have had their data stolen in what could be one of the biggest data breaches in the country's history.
The payday lender began contacting customers on Saturday 8 April after detecting what it has described as "illegal and unauthorised access to the personal data of some of its customers".
IT Pro understands the hack has affected 245,000 UK customers, and 25,000 Poland customers.
Stolen information includes names, email and postal addresses, phone numbers, bank account numbers and sort codes, and the last four digits of bank card numbers, Wonga confirmed.
At this point, it's unclear if the stolen data was encrypted or not, nor how the attackers were able to gain access IT Pro has contacted the organisation for clarification of these points, and Wonga said it is "urgently investigating" the breach.
In an FAQ for customers the company said: "We do not believe your Wonga account password was compromised and believe your account should be secure, however if you are concerned you should change your account password. We also recommend that you look out for any unusual activity across any bank accounts and online portals."
The company also advised customers to contact their banks to alert them to the fact they may have been affected by the breach and ask for extra attention to be paid to their accounts in case of any suspicious activity.
This could be the largest ever data breach affecting a UK financial institution. Its magnitude is also apparently greater than the TalkTalk hack, which triggered the greatest fine ever issued by the Information Commissioner's Office (ICO), by nearly 100,000 people.
A Wonga spokesperson said in a statement to IT Pro:"Wonga is urgently investigating illegal and unauthorised access to the personal data of some of its customers in the UK and Poland. We are working closely with authorities and we are in the process of informing affected customers. We sincerely apologise for the inconvenience caused."
Wonga has informed the UK's data protection watchdog, the Information Commissioner's Office (ICO), as well as the police and the Financial Conduct Authority.
The security industry reacts
Wonga has been praised for its apparent quick reaction to the breach and rapid notification of customers, but some questioned the nature of the company's response.
Marc Agnew, vice president of ViaSat Europe, said: "Reacting to an attack appropriately is vital; from isolating and identifying the origin, to taking stock of what has been stolen or affected and making sure those who have been put at risk are notified and protected as soon as possible.
"By the looks of it, Wonga's customers were alerted in a timely manner and should be well informed enough to take action. This is all Wonga can do at this stage, but it'll be interesting to see what happens next and how serious an attack this turns out to be."
Gavin Millard, technical director EMEA of Tenable Network Security, questioned one piece of advice given by Wonga to its customers.
"Whilst Wonga's post breach FAQ states they 'don't believe your Wonga account password was compromised', I would strongly advise changing this password wherever it has been reused," Millard said.
"A favourite trick by scam artists is to use the data swiped to build up trust and credibility with a target to then request further information they don't have, so customers should be extra careful dealing with unsolicited calls irrelevant of who they claim to be," he added.
Those concerned they may have been affected by the breach can get more information from Wonga's Incident FAQ, which can be found here.
TalkTalk hack: Two men plead guilty to TalkTalk hack General Data Protection Regulation (GDPR) Three suffers another data breach
