Another week, another embarrassing cyber attack. This time it’s payday lenders Wonga who are the latest high profile business to fall victim to hackers with reports suggesting 270,000 customers’ details have been stolen (of which 245,000 are in the UK) – including the last four digits of bank cards.
For a business named after the slang for money, it’s ironic that, when the dust settles – the attackmaycost them a tidy sum of their own wonga – just as it did for TalkTalk.
The 2015 hack at TalkTalk resulted in a £400,000 fine from the Information Commissioner’s Office (ICO) after it found the attack “could have been prevented if TalkTalk had taken basic steps to protect customers’ information”. But that was nothing compared to the overall cost to the business in terms of loss of custom and compensation – estimated to have reached £60 million.
One of the biggest breaches to hit a UK company
According to the Daily Telegraph, theWongabreach is believed to be one of the biggest involving financial information to have hit a UK company.
Although still working to establish the full details of the attack, Wonga have conceded that the data breached “may have included one or more of the following: name, email address, home address, phone number, the last four digits of your card number (but not the whole number) and/or your bank account number and sort code.”
Not so ‘sophisticated’
A statement from Wonga says that “Cyber attacks are, unfortunately, on the rise, While Wonga operates to the highest security standards, these illegal attacks are unfortunately increasingly sophisticated.” They are of course correct and although the full details of how the attack happened are still to be determined, it is interesting to note that TalkTalk offered a similar defence describing their attack as “sophisticated and co-ordinated”.
In their case it later emerged that the ‘sophisticated’ cyber mastermind behind the hack was a 17-year-old too young to even be named. It cost TalkTalk millions, all the judge could do was confiscate his iPhone.
The reason for the TalkTalk fine was that they failed to take the ‘basic steps’ to protect their customers’ data. As an approach to data security there’s nothing sophisticated about that either. These ‘basics’ identify security vulnerabilities that are easily fixed and only cost a fraction of the potential damage to implement.
It’s too late after the event so, if you feel in any way concerned about the security measures in place in your organisation, the next section is for you.
So, what are the basic cyber security steps?
We’ve covered this extensively in articles on the Ascentor blog. There is no shortage of readily available information you can follow.
As your doctor will tell you, prevention is better than cure – and the same applies to your cyber security. In ‘ An ounce of prevention ‘ we explain how cyber security controls don’t need to be complex or cutting edge to be effective. We cover controls including GCHQ’s Ten Steps to Cyber Security, Ascentor’s guide to Cyber Essentials and the SANS CIS Critical Security Controls.
We’ve also written a series of posts on ransomware covering backup strategies for individual/home users, SMEs and larger enterprises – who often have more sophisticated IT environments and, potentially, a lot more data at risk.You can read our ransomware strategy for the larger organisation in ‘ Ransomware and Large Enterprises – a defence-in-depth strategy .’
In ‘ 5 ways to spring clean your cyber security ‘ we give a number of relatively simple to achieve suggestions that would provide a good level of assurance that security controls are working effectively.
If correctly implemented, the steps covered in the above articles will give your organisation a substantially better chance of avoiding the damage caused by a cyber attack, not to mention the wonga involved.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
If you’d like to discuss how ourconsultants could advise on any aspect of cyber security, please contact Dave Jamesat Ascentor.
Email: [email protected]k
Office: 01452 881712
Other posts you might like