The payday loan firm Wonga has suffered a data breach which may have affected up to 245,000 customers in the UK.
The firm said it was “urgently investigating illegal and unauthorised access to the personal data of some of its customers”.
The firm said it began contacting borrowers on Saturday and was offering support through a dedicated phone line.
The information stolen includes names, addresses, phone numbers, bank account numbers and sort codes.
Prof Alan Woodward, a cybersecurity expert at the University of Surrey, said it was “looking like one of the biggest” data breaches in the UK involving financial information.
The range of information stolen may also include the last four digits of customers’ bank cards – information used by some banks as part of the login process for online accounts.
A further 25,000 customers in Poland were also potentially affected.
In a statement, the firm said: “We are working closely with authorities and we are in the process of informing affected customers. We sincerely apologise for the inconvenience caused.”
Wonga said it did not believe the attackers had gained access to users’ loan accounts, but warned them to be vigilant.
The lender, which provides short-term loans, said it had became aware of the breach last week but at that time thought no data was involved.
However, by Friday it realised the attacks were more serious and started informing customers on Saturday by email and text.
What should Wonga customers do?
The payday lender has set up a help page for affected customers. It advises them to:
- Alert their bank and ask them to look out for any suspicious activity. Wonga will also be informing financial institutions about the breach
- Watch out for scammers or unusual online activity. In particular, customers are told to be cautious about cold calls and emails asking for personal information
- Contact the Wonga helpline on 0207 138 8330 for further questions
Prof Woodward said the combination of names, addresses, sort codes and last four digits of bank cards was “particularly worrying” for customers.
Other breaches in the UK had not tended to gain access to those financial details, he added.
Talk Talk received a record fine last year for a data breach, but of the nearly 157,000 customers affected, most did not have bank account details stolen.
A data breach at Yahoo affected nearly eight million customers in the UK last year, but was focused on email addresses and passwords.
A spokeswoman for the Information Commissioner’s Office said: “All organisations have a responsibility to keep customers’ personal information secure.
“Where we find this has not happened, we can investigate and may take enforcement action.”
The data breach is a further blow for Wonga which has been trying to rebuild its reputation after several scandals.
In 2014, UK financial regulators found it had made loans to customers who could not afford to repay them, and chased debts with letters from a fake law firm.
In 2015, the firm saw its losses double as tougher regulation in the industry continued to bite.
Its pre-tax losses grew to £80.2m that year from £38.1m in 2014.