Between the 2nd and 5th October, parents who were topping up their child’s prepaid lunch card via WisePay have been warned their card details have been compromised.
Parents of approximately 300 schools in the UK have been affected by this scam. Wise pay stated that only a small number of parents would have made payments on the system before they realised the attack occurred.
The cyber-attack occurred on Friday night where the hacker managed to find a backdoor into the system. WisePay only discovered this on the Monday morning.
The hacker was able to obtain card details by setting up a fake page that parents were redirected to when they believed they were making payments to WisePay, when in fact they ended up giving their card details to the attacker.
Attack’s such as these are referred to as Magecart Hacks. The hacker does not break into the database to obtain card details, instead they obtain access to the system to redirect users to a fake page. Hackers must choose wisely who to attack to increase the chances of getting results, therefore they need to choose a system that receives regular payments.
With the hacker being able to attempt online payments using the card details obtained through the attack, Wise pay quickly reacted with a letter which was sent to all schools affected, advising the parents to freeze their bank cards and change online banking passwords.
Incidents like this can cause major disruption to business as well as loss of profit If the ICO suspect that mishandling of sensitive data has occurred. For example, a larger scale Magecart attack happened to British Airways in 2018 which affected 400,000 customers. The ICO have said they intend to fine BA £183 million!
Wisepay believe that this should not happen to them as they informed ICO of the attack promptly and involved Computer forensics experts.