Following the news that Wonga, the payday lender has experienced a data breach that may affect up to ‘245,000 UK customers’, IT security experts from SailPoint, McAfee, ViaSat Europe, Tenable Network Security, ESET, Micro Focus, Netskope and F5 Networks commented below.
Kevin Cunningham, President & Co-Founder at SailPoint:
“This data breach from Wonga shows that incidents are an everyday occurrence that businesses must counteract or risk a significant impact to their bottom-line as well as customer loyalty.
“Businesses house more and more sensitive data, therefore everyone from the executive level down needs to ensure there is a collaborative effort from internal staff to protect sensitive customer information and ultimately, the health and longevity of the company.
“In today’s market, it’s a matter of when, not if, a data breach will happen. So the most important factors are prevention, education, and rapid response. When a breach does happen, it’s important to quickly find out how and why it occurred, assess the damage and required response, and put IT controls in place to address future attacks. This is where identity and access management solutions can help, because they can address the immediate pain while also identifying – and mitigating – other areas of exposure.”
Raj Samani, Chief Scientese at McAfee:
“Users of Wonga should be extra vigilant right now and be cautious about incoming requests via phone or email. Our 2016 Data Protection Benchmark Study found there are around 21-30 data loss incidents per day across the UK’s financial services industry. Criminals can exploit the data they’ve stolen to contact customers directly, build trust and ultimately profit from the knowledge they have to hand.
“As the financial services industry becomes increasingly digital, corporations need to consider increasingly digital security solutions, such as artificial intelligence and machine learning. This will help protect against current cybercrime tools and tactics, while empowering the financial services industry to detect the next wave of cybercrime – based on intricate analysis of cybercriminals’ behaviour – and remediate these threats as soon as they launch.
“But this can’t operate in silo. The whole industry needs to be thinking about how they evolve to share intelligence. Security is not a competition point.”
Marc Agnew, Vice President at ViaSat Europe:
“Wonga’s stock with the general public has never been particularly high, but this breach will see it fall even further. It is simply the latest name in a long list of data breach victims that will come to realise that the reputational impact of a breach is more damaging than anything the ICO can do to them, or the cybercriminals themselves for that matter.
“The stakes are so high that organisations need to treat cyber-attack not only as a threat, but as an inevitability. Organisations must therefore ensure that all customer data is encrypted, not just the passwords and card details, so that any stolen data is essentially worthless. Inadequately protecting customer data can create massive problems for enterprises and consumers alike. Reacting to an attack appropriately is vital; from isolating and identifying the origin, to taking stock of what has been stolen or affected and making sure those who have been put at risk are notified and protected as soon as possible. By the looks of it, Wonga’s customers were alerted in a timely manner and should be well informed enough to take action. This is all Wonga can do at this stage, but it’ll be interesting to see what happens next and how serious an attack this turns out to be.”
Gavin Millard, Technical Director EMEA at Tenable Network Security:
“Whilst Wonga’s post breach FAQ states they ‘don’t believe your wonga account password was compromised’, I would strongly advise changing this password wherever it has been reused.
“A favorite trick by scam artists is to use the data swiped to build up trust and credibility with a target to then request further information they don’t have, so customers should be extra careful dealing with unsolicited calls irrelevant of who they claim to be.”
Mark James, Security Specialist at ESET:
“Malware is being written, modified and adapted to do all sorts of tasks – some breaches are opportunistic and it may just be a lucky hit from malware doing the rounds or it may be the result of a targeted attack through a sophisticated phishing scam designed to gain access to internal systems and wreak havoc from inside.
“If we want to use services supplied by others – whether it’s watching a film or borrowing money, we have to trust the company involved. We give them our details, they tell us how they value us as a customer and we get the goods. What more can we do? In theory, nothing – we just have to take them at their word as we have no direct control over how they store our data, what measures are in place to protect our data if it should end up in the wrong hands. All data has a value and the most common data found on the internet is usually the data we cannot change: names, dates of birth, addresses and phone numbers, all of which can be used to phish for more data or attempt identify fraud or theft. Our financial records of course are a little different as this data can be used to directly target your money. If enough data is obtained it may be possible to steal funds directly from your account or in some cases make changes to your account that could enable the attacker to pretty much do as they please. Of course in most cases we can get the money back but it’s the inconvenience of having cards and accounts changed or even frozen while that’s happening.
“If you find yourself concerned or even the victim of a data breach you should contact your bank immediately. Change any passwords for internet or mobile banking and be extra careful when contacted via email, or indeed any kind of messaging process and ensure that you validate who you are talking to. If you’re not 100% sure of the person you’re talking to, be polite, hang up and contact them yourself through an alternate method (if possible in person). Your banks understand the pressure of scammers and they want you to be safe so you should not be penalised for taking extra precautions and in most cases they should encourage it.”
David Mount, Director, Security Solutions Consulting EMEA at Micro Focus:
“This latest data breach from Wonga – potentially one of the largest data breaches in the UK involving financial information – once again raises the question of how large organisations are protecting our personal data. Various personal details are thought to have been stolen including sort codes and account numbers, leaving many thousands concerned that the cyber attackers will be targeting their bank accounts next.
“While there is a perception that cyberattacks are perpetrated by a teenage lone wolf in their bedroom, the reality couldn’t be further from the truth. Organised cybercrime is more profitable than the drugs trade and has far less risk for the perpetrators, who have become adept at sharing information amongst themselves. To make life harder for these cybercriminals, organisations must recognise the threat of sophisticated attacks today – and work together to keep cyber attackers at bay.
“Businesses should be collaborating around the early indicators of compromise in order to understand the known mitigation path. While attacks can be targeted to specific organisations, finding an indicator of compromise is always the first step. Once Wonga has established further details on how the breach occurred, the company should share this key data with the relevant authorities. Criminal gangs are trying to industrialise the process, so they’re looking for certain types of systems and searching for places to replicate a specific attack. This means the same tactics can be repeated hundreds of times – and the Wonga attack could be repeated elsewhere, leaving thousands of further accounts vulnerable to theft.”
André Stewart, VP EMEA at Netskope:
“The news that Wonga has been hit with a cyber-attack will have left thousands of UK customers wondering if their personal data was included in the horde of sensitive information stolen by cyber thieves. Customers’ bank account numbers, sort codes, addresses and even the last four digits of users’ bank cards are thought to have been stolen. While the organisation has stated that affected customers are unlikely to be at risk of theft, the fact remains that private personal information was compromised – posing a risk to customers.
“Data loss prevention needs to be a key priority for all businesses. Ignoring or downplaying increasingly sophisticated cyber threats is not an option. The EU General Data Protection Regulation (GDPR) – set to come into effect in just over a year – will hold organisations accountable for their data practices. As a result, companies will be forced to take active measures to mitigate any threats to personal privacy, whether that data is stored on-premises or in the cloud. Any companies falling short of these standards could face hefty fines.
“Alongside demonstrating that they have coached employees on the GDPR and secure data handling, employers will also need to provide staff with the tools to do their jobs securely without sacrificing ease and convenience. Ensuring the secure use of cloud services will be a fundamental piece of the compliance puzzle. Remaining vigilant to any unusual user behaviour and implementing technology such as DLP tools can ensure businesses are able to keep a close eye on particularly sensitive data, such as personally identifiable information (PII) of the type stolen in this latest hack. This will be the key to not only preserving customers’ privacy but also achieving GDPR compliance.”
Paul Dignan, Senior Systems Engineer at F5 Networks:
“The growing volume of encrypted traffic and high bandwidth of cloud services is making today’s security solutions work harder than ever to detect threats and reduce data leakage. Thus, businesses need to take an approach of ‘embracing the attacks’ to build a more robust architecture. Accepting the fact that hackers will attempt to access your data at any level where it is exposed is part of tackling the problem, starting from the endpoint itself. The application is where the cybercriminal sees the prize and for hackers, data means dollars.
“A successful security strategy protects organisations’ most critical assets, identities and applications by authenticating and authorising the right people to the right data and making sure distinction is made between legitimate access, human access and malicious attempts – whether crafted by bots or malware. Implementing a zero-trust model represents a fundamental change in security management and requires a comprehensive, integrated plan to transition the business to be effective with its cyber risk strategy.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.