back to article Payday lender Wonga admits to data breach

Payday lender Wonga has advised 270,000 customers of a data breach and offered inconsistent advice about the severity of the incident and how to respond. An “incident FAQ” on the company's site says “We believe there may have been illegal and unauthorised access to the personal data of some of our customers.” The Reg …

  1. Anonymous Coward
    Anonymous Coward

    Cheap labour

    I bet they outsourced their IT and those engineers were being paid peanuts so just did the bare minimum. And I bet other engineers warned them of the issues but we silenced by upper management.

    Lets hope they get hit with a massive fine.

    1. Steve Davies 3 Silver badge

      Re: Cheap labour

      Nah, it was probably outsourced to the cheapest bidder.

      They will get heavily fined though.

      The irony is that most of the people who use Wonga and had their data nicked won't be the sort of target the scammers want to go after. If they wern't hard up why else would you willingly pay interest rates of 100%+++ when a savings account that returns more than 0.5% interest is currently a good deal.

    2. mark 120

      Re: Cheap labour

      Unfortunately the ICO can only fine them £500k, and as the card details seem to be in line with PCI that alternative is out too.

      now if this had come a year later when GDPR is in effect and the maximum fine ramps up to the greater of £20m or 4% of turnover, it may have been different...

      1. Anonymous Coward
        Anonymous Coward

        Re: Cheap labour

        Bring on the GDPR. Loads of work for security-minded techies and, more importantly, meaty fines for those who have long ignored the current legislation and abused the hell out of our personal information.

        Should be a good 12 months until brexit eviscerates the legislation here at home.

        1. Tom Paine

          Re: Cheap labour

          It - or They -- can't eviscerate GDPR after Brexit, as they won't be able to collect PII data from EU citizens without it.

          All e-commerce sites collect PII, in order to village you and deliver the product or service. No GDPR, no trade with Europe more advanced than bartering cockleshells for potatoes.

          1. Anonymous Coward
            Anonymous Coward

            Re: Cheap labour

            "It - or They -- can't eviscerate GDPR after Brexit, as they won't be able to collect PII data from EU citizens without it."

            Given we've just thrown away hassle-free tourism and trade on the back of absolute lies I doubt the spectre of difficult information exchange with europeans is going to do much to stop our particularly masochistic government and their daily mail-loving population.

      2. Tom Paine

        Re: Cheap labour

        now if this had come a year later when GDPR is in effect and the maximum fine ramps up to the greater of £20m or 4% of turnover, it may have been different...

        Don't worry -- it will be...

    3. Tom Paine

      Re: Cheap labour

      That's quite an idea, there, though it sounds like what everyone says after this sort of thing for the last 15 years. Stuff mandatory ISMS frameworks and regulatory compliance... Just levy massive fines on any firm that gets hacked. Say, £10 per account. (Of course it would be bad to put firms out of business... it should be possible for them to pay on an installment basis. With appropriate interest charges *evil grin* ). Naturally we'd also need a mandatory disclosure law, with very severe penalties for non-compliance.

  2. Solarflare

    Might be in for a shock

    If the scammers have actually made off with financial details, not knowing exactly who Wonga are, they might be in for a shock. 270,000 financial details for unfortunate people who have neither money nor credit...

    1. a_yank_lurker

      Re: Might be in for a shock

      I would be surprised if their combined checking accounts had more than $100 total in them.

      The hackers are probably not locals who would know that Wonga is a payday loan outfit. Sad and humorous at the same time. Sad because innocent people now have to worry about their accounts. Humorous because the hackers thought they were going to make the big score but will be lucky to get peanuts but if caught could face the same sentence.

    2. Sooty

      Re: Might be in for a shock

      Alternatively, a nice list of mugs who are not very good with their money and are far more likely to fall for a scam.

  3. Anonymous Coward
    Anonymous Coward

    [INSERT-NAME-HERE] operates to highest standards, but attacks are increasingly sophisticated...

    * Makes a change from spinning the blame on intangible 'State Actors'.. But..

    * More whistleblowers need to blow the whistle on outfits that just cut corners. Then we need to see mega-fines levied that executives must personally pay!

    * But with Politicians all in the pockets of corporations, what's the odds this will happen until a daughter / son of a major politician gets screwed over...

    1. wolfetone Silver badge

      Re: [INSERT-NAME-HERE] operates to highest standards, but attacks are increasingly sophisticated...

      "We take our customers privacy very seriously" but not seriously enough to lock the stable door before the donkeys decide to walk out.

      1. Robert Helpmann??
        Childcatcher

        Re: [INSERT-NAME-HERE] operates to highest standards, but attacks are increasingly sophisticated...

        Followed by "We sincerely apologise for the inconvenience caused." So that's alright then? Fines alone will never be enough to deter fiscal irresponsibility as long as they are so far outstripped by the gains. Add a dash of personal charges levied against a company's officers and a pinch of personal jail time and we might have a recipe for more reasonable behavior.

    2. Anonymous Coward
      Anonymous Coward

      Re: [INSERT-NAME-HERE] operates to highest standards, but attacks are increasingly sophisticated...

      "More whistleblowers"

      "I would, but I dont want to lose my job"

      This is why there are no whistleblowers.

      Jobsworths are why nothing gets highlighted.

      Bug bounties are all fine and well, but they also need to work inwardly. As far as I am aware there are no internal bug bounties.

      That said, I am generally anti bug bounty because I find them insulting.

      Cyber security needs to be proactive not reactive.

      Simply invest in a good cyber security expert.

      If you never get fined, he saved you millions of pounds. Therefore is worth a lot of money. Considerably more than a miserable bug bounty.

      Ideally you should have a minimum of two cyber security experts. One to constantly test an one to constantly improve.

      If one is the wrecking ball and the other is the concrete bunker you have a more objective approach.

      Each needs to be paid handsomely because if it comes to a head and something does go wrong the cyber guys need the means to access proper legal protection.

      As it stands being a cyber security expert can leave you exposed and as a result makes it a very risky career prospect.

      Simply finding the wrong type of bug can ruin your career.

  4. Anonymous Coward
    Anonymous Coward

    'scammers might be in for a shock / unfortunate people who have neither money nor credit'

    Assumptions.. Its more likely we're looking at vulnerable people who are in desperate times. Doesn't mean they don't have any savings to steal. There are bank account numbers involved, so this leak will end badly for some!

  5. Anonymous Coward
    Anonymous Coward

    I just hope ..

    I just hope there is 1500% interest added to their fine instead of the volume discount that seems to be de rigueur these days, as if 1000s of people having to cope with the consequences instead of 10 somehow makes it have less of an impact on the victims.

  6. Gordon Pryra

    Beware of scammers

    HA! Catch 22 time

    If these 300k people where able to spot a scammer they would not be on this database in the first place.

  7. Your alien overlord - fear me

    Clarification

    Their account (with Wonga) is secure. They should look out for fraudulent activity (on their bank account).

    Therefore Wonga can just sit back, not offering personal credit-score monitoring services etc. that other reputable financial companies offer when they get breached.

    1. Locky

      Re: Clarification

      If the clients had a reasonable credit score, they wouldn't be using Wonga in the first place....

      1. katrinab Silver badge

        Re: Clarification

        And the mere act of using Wonga kills of any credit score you might have had.

  8. hi_robb

    Cyber attacks are on the rise eh?

    Yep, they sure are.

    Wonga have detected a 1,509% increase in the last 5 years...

    1. Aladdin Sane

      Re: Cyber attacks are on the rise eh?

      Nah, that's just Wonga's interest rates.

      1. wolfetone Silver badge

        Re: Cyber attacks are on the rise eh?

        "Nah, that's just Wonga's interest rates."

        Nope. Thats far too low to be their interest rates.

  9. Aladdin Sane

    Utter scum

    Up to you whether I'm referring to the hackers or Wonga.

    1. richardcox13

      Re: Utter scum

      Inclusive or is inclusive.

    2. jmch Silver badge

      Re: Utter scum

      Why does anyone use the euphemism "payday lenders" instead of saying what they really are: loan sharks?

      1. Aladdin Sane

        Re: Utter scum

        Because genuine loan sharks don't want to be associated with this shower?

  10. Anonymous Coward
    Anonymous Coward

    "We take issues of customer data and security extremely seriously."

    No you don't because if you did it wouldn't have happened in the first place as you would have paid the wonga to get the right people to secure your data.

  11. Adam 1

    Wonga

    Shirley that's a missed opportunity by the sub?

  12. Andy The Hat Silver badge

    Watching for fraudulent activity ...

    Are there any corporate instructions from the company on how an average Wonga customer can tell the difference between official Wonga money grabbing and fraudulent activity? My suggestion would be "if you spot a transaction which is not unreasonable then report it immediately as criminal activity, otherwise it's just a law-abiding loan shark obviously not ripping you off ..."

    1. Anonymous Coward
      Anonymous Coward

      Loan Sharks

      Not that Wonga was all that law-abiding -- remember the fake solicitors' letters it sent out some time ago. If ever a concern deserved to be terminated with extreme prejudice Wonga would be high on the list.

  13. Anonymous Coward
    Anonymous Coward

    With Name, Sort Code, and Account Number, I suspect it's most likely that the fraudsters could potentially set up Direct Debits against the victims' accounts.

    1. Suricou Raven

      They can try. These are Wonga customers - most of them are going to be in overdraft already, otherwise they'd be using that rather than going to Wonga.

  14. Daniel Bower

    APR! = interest

    I'll probably get downvoted for this but seeing as I expect El Reg to not jump on the tabloid hysteria.

    Wonga's apr is undoubtedly very high but the apr calculation is complicated and designed to enable consumers to compare similar products on a like for like basis and is skewed when it is applied to something like short term finance as it is comparing it to 25 year mortgages and everything in between.

    So use the apr to compare products in the same category and not across categories and it works pretty well but try and use it to compare completely different products and its not a great tool.

    I think for a 30 day loan of 1000 the amount to repay is around 1200 so a true interest rate of nearer 20%.

    Still very high but not 100's of %.

    1. Bruce_c

      Re: APR! = interest

      Very much so. APR is very deceptive when looking at short term loans now that all fees and charges are rolled into the calculation - but it does make a good comparison tool between products.

      Although no fan of Wonga and their like, I do think they get a lot of undeserved stick for their APR figure, the example given on their front page is not too unreasonable:

      Borrow £200 for 14 days

      One repayment of £222.40

      Representative 1,509% APR

      Would you offering loans as a commercial service really do it for much less?

      1. Yet Another Anonymous coward Silver badge

        Re: APR! = interest

        Compared to the bank.

        Go £1 overdrawn,

        Get charged a very reasonable 10% interest rate on this

        Plus a $100 fee for an unauthrorized overdraft

        Then a £80 letter telling you about it

        Then another £100 fee because the letter went out on the last day of the previous month and the fee is per month

        Then get a tax hike to bail out the bank that did this because it lost money gambling in the US housing market

        1. katrinab Silver badge

          Re: APR! = interest

          At HSBC the charge is £0 if you go overdrawn by less than £10

          https://www.hsbc.co.uk/1/2/overdrafts/overdrafts-charges

          Other banks have similar charges, HSBC is not the cheapest.

          The maximum charge is £80, if you are overdrawn for 21 or more days and make payments on 12 separate days out of the account while overdrawn.

        2. Triggerfish

          Re: APR! = interest

          Compared to the bank.

          It's a fair point but you can phone up your bank and make a polite pain in the arse of yourself on the phone enough that they will usually drop it. I am currentl 5-4 with my bank over the course of me banking with them, thats £20 quid up in my favour on the scoreboard.

          Also if my bank tried to get away with fee's like that they would soon find my account moving elsewhere.

      2. katrinab Silver badge

        Re: APR! = interest

        Borrow £200 for 14 days

        One repayment of £222.40

        Representative 1,509% APR

        Would you offering loans as a commercial service really do it for much less?

        An overdraft with HSBC - https://www.hsbc.co.uk/1/2/overdrafts

        Borrow £200 for 14 days

        One repayment of £201.40

        Representative 19.9% APR.

        £22.40 is a lot more than £1.40. the APR of 1509% vs 19.9% reflects that much higher charge.

    2. Anonymous Coward
      Anonymous Coward

      Re: APR! = interest

      "Wonga's apr is undoubtedly very high but the apr calculation is complicated and designed to enable consumers to compare similar products on a like for like basis and is skewed when it is applied to something like short term finance as it is comparing it to 25 year mortgages and everything in between."

      "I think for a 30 day loan of 1000 the amount to repay is around 1200 so a true interest rate of nearer 20%."

      Try playing with the sliders on this: https://www.wonga.com/ eg borrow £400 for 31 days and payback nearly £500. Bargain! Note the thin white writing to the right of the illustration - ie you are up shit creek if you follow this path.

      1. Prst. V.Jeltz Silver badge

        Re: APR! = interest

        "I think for a 30 day loan of 1000 the amount to repay is around 1200 so a true interest rate of nearer 20%."

        Yes but normally when a % is quoted its per year - even the 18% on your crdeit caerd - althoug hthey calculate it and bill you every month that figure is "per year"

        your wonga example is , as there are 21 months , is nearer 240%. Still sounds better than their apr tho

    3. Martin Milan

      Re: APR! = interest

      If we believe your figures, that's 20% per MONTH.

      Or 792% per year if you want the annual figure. Hardly a bargain - and that's just taking into account interest. Now you have to start thinking about late repayment fees, given that many people who hold these loans are on the absolute breadline and it is conceivable they can't afford the loan on the terms offered...

      1. Daniel Bower

        Re: APR! = interest

        That's exactly my point though. You are not borrowing for a year hence the comparison is meaningless.

        Short term finance is an expensive form of borrowing as the lender still needs to make a return and if they where to charge a monthly interest rate nearer to a loan - say 5% - the model is even less viable than it currently is.

        Note I am not defending or otherwise the underlying principle of lending money to people that can't afford it-simply removing the hyperbole attaching to interest rates.

  15. Doctor Syntax Silver badge

    Generic PR statement with omissions corrected:

    We take issues of customer data and security extremely less seriously than making the biggest possible profit

  16. CustardGannet

    Sound security advice

    Be cautious of anyone who calls you and asks you to disclose any personal information regardless of where they say they are from. If this happens, we recommend that you hang up.

    "Hi, it's Mum - are you still coming to ours for dinner on Sunday ?"

    "Piss off !"

    1. Anonymous Coward
      Anonymous Coward

      Re: Sound security advice

      "Happy Birthday son!"

      "Please remove me from your database forthwith or I will report you to the TPS for unsolicited calls"

      1. katrinab Silver badge

        Re: Sound security advice

        TBF I do tell people to piss off if they accuse me of being a man.

        Even more so if they ask to speak to my husband.

  17. Anonymous Coward
    Thumb Up

    Good for them to come clean!

    Yeah, it's oh so easy to mock and make fun of someone but I think it's good for them to come clean about the whole incident. For the record: I didn't know about Wong or what they do but from visiting the website I got the overall impression.

    But let's not assume too much. Where there's money there are people trying to obtain that money for themselves, so obviously there are forces at work here. I wouldn't be too hasty to blame the whole thing on cheap labor. Thing is: banks I don't trust too much because they more or less get their money handed to them yet still ask for more.

    But companies like these are a bit different. They also take risks (to some extend).

    One thing though:

    "The FAQ offers contradictory advice on the incident, offering assurances that “We believe that your account is secure and you do not need to take any action" but also says “if you are concerned you should change your account password."

    No it doesn't. The first is not an advice but an opinion: they believe that... Yet if you do feel concerned then you should change your password, which is always a good thing to do every once in a while.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like