British payday loan company Wonga has informed customers that their personal and financial data may have been stolen in a cyberattack.
According to Wonga, hackers gained unauthorized access to names, email addresses, physical addresses, phone numbers, partial payment card numbers (i.e. the last four digits), bank account numbers, and sort codes. The firm’s investigation is ongoing.
Wonga says there is no evidence that passwords have been compromised, but users who are concerned can change their passwords as a precaution. Impacted individuals are being notified.
The Guardian reported that the incident may have affected as many as 270,000 current and former customers in the United Kingdom and Poland. Roughly 245,000 of the potential victims are from the U.K.
While complete payment card data is not at risk, Wonga says it will alert financial institutions, and it has advised customers to contact their bank and ask them to be on the lookout for any suspicious activity.
The company has also warned affected customers of scams and other online activities that may leverage this incident in an effort to trick users into handing over sensitive information.
This is one of the biggest known data breaches suffered by a U.K. company. In recent months, breaches have also been reported by Camelot, which runs the U.K. National Lottery, business software firm Sage, and telecoms company Three.
The country’s Information Commissioner's Office (ICO) has launched an investigation into the incident, and it could lead to a significant fine. Telecoms firm TalkTalk received a record fine of £400,000 (roughly half a million dollars) for the October 2015 breach that affected more than 150,000 customers. The ICO can issue a maximum fine of £500,000 ($620,000).