The ‘payday’ lender Wonga suffered a significant data breach over the last week which may have affected approximately 245,000 accounts in the UK and another 25,000 in Poland. Wonga has stated on its website: “We believe there may have been illegal and unauthorised access to the personal data of some of our customers.” According to the statement, unknown parties have accessed the following data from account names, e-mail address, home address, phone number, the last four digits of your card number (but not the whole number) and/or your bank account number and sort code’. In the statement, Wonga have made it clear that no action is needed but that they suggest changing passwords as a precaution.
A data breach for Wonga is the last thing the business needed when revenues are down and the payday lending space has become increasingly competitive. Whilst Wonga accounts have not suffered a monetary loss, this data breach comes at a time when the business has been feeling the crunch since the Financial Conduct Authority in the United Kingdom introduced stringent regulation on payday lending. Wonga will now have to see if they will suffer any financial penalty from the Information Commissioners Office (ICO), which has been notified of the breach, and it will be interesting to see how the ICO respond. Currently the ICO can levy fines of up to £500,000, however, this will change when they adopt the principles of the forthcoming European Union’s General Data Protection Regulation legislation and will be able to fine up to €20,000,000 (approx. £17,080,000 at time of writing) or 5% of global turnover, whichever is greater. Given that this regulation comes into effect in May 2018, the ICO will continue to take data breaches very seriously and may be looking to make examples out of businesses that fail to comply with the data protection requirements. Financial services providers, such as Wonga, who fail to protect customer’s confidential financial data, such as bank account numbers, could feel the full brunt of the ICO’s enforcement powers.
The Wonga data breach highlights that businesses in the UK are still a prime target for cyber criminals, primarily because IT security spend is low compared to the USA and the subject is not taking seriously enough by the management of such businesses. Purchasing a cyber insurance policy can provide important coverage for exposures such as data breach fines and penalties but also provides incident response, with access to world leading cyber security consultants. Through a cyber insurance policy, the access to these cyber security consultants provides a service at a small fraction of what it would cost to hire a full-time IT security consultant. At Safeonline LLP we only work with insurers who provide the best incident response service and we specialise in helping businesses understand the coverage provided when they purchase cyber insurance.