Home / News & Resources / News & Updates / WisePay Data Breach – Parents at Around 300 Schools May Have Had Their Data Stolen

WisePay Data Breach – Parents at Around 300 Schools May Have Had Their Data Stolen

  • Posted on

Parents at around 300 schools across the UK may have had their personal details stolen after online payment system, WisePay, was targeted by cybercriminals.

WisePay allows parents to conveniently pay for their children’s school meals online. However, between 2 and 5 October, hackers targeted the service through URL manipulation, allowing them to redirect and control the service’s payment gateway page. As a result, hackers may have been able to unlawfully access users’ payment card data. Any organisation affected by this data breach will be legally obliged to inform the affected parties of the risk of their data being exposed.

One of the schools affected is Wade Deacon High School in Widnes which is advising its WisePay users to immediately start monitoring their bank accounts and contact their provider to inform them of the breach.

WisePay now states that the service has been secured, the platform is back online and it is safe to use again. It has also reported the incident to the UK’s Information Commissioner’s Office (ICO) for further investigation and advised potentially affected individuals to get in touch with their school or college as soon as possible to check whether their data has been stolen.

Because the data stolen relates to card payments, anyone whose data was exposed by the breach will be at risk of serious financial crime. This makes the WisePay data breach particularly concerning for those affected.

Could you be entitled to compensation for the WisePay data breach? Please get in touch.

How did cybercriminals access WisePay?

WisePay provides a payment platform that, “[allows] parents and guardians to make cashless payments to their [children’s] school or college”.

At some point on 2 October, Cybercriminals accessed the WisePay payment platform via a “backdoor” in the system’s database where they were able to modify one page. The result was that when parents and guardians accessed the platform to make a payment, they were redirected to a “spoof” page controlled by the hacker. To the users, this page would look just like the legitimate payment page; however, when they entered their debit or credit card details, these were going straight to the hacker. This is effectively a type of online card skimming attack.

The attack was conducted between 2 and 5 October, so anyone who has used the platform since 1 October could be at risk of financial crime.

How has WisePay responded to the breach?

Once WisePay became aware of the breach, it took its website offline. It also notified the Information Commissioner’s Office (ICO) to inform it of the breach and “engaged a computer forensics expert” to conduct its own forensic investigation.

The ICO will conduct an investigation to work out exactly how many people have been affected by the cyber-attack.

WisePay now states that the payment platform is secure, the website is back online, and it is safe for parents and guardians to continue to use it to pay for their children’s school meals.

What data was accessed in the WisePay breach?

WisePay states that it does not store payment information itself and none of its records have been leaked. Therefore, the breach is limited to users who accessed the spoof page and entered their payment details. However, this is still a serious breach that could put users at risk of financial crime and further “phishing” attacks for additional personal data.

What organisations have been affected by the WisePay breach?

It is reported that around 300 schools and colleges have been affected by the WisePay hack. One of these was Wade Deacon High School in Widnes which has already written to potentially affected parents and carers to inform them of the breach and advise them of what steps to take, including:

  • Immediately changing their WisePay password
  • For anyone who has used the platform since 1 October to:
    • Monitor their bank account (any genuine payments should go to the WisePay bank account before being transferred to the school)
    • Inform their provider of the breach as soon as possible

The school is not yet able to confirm to parents or guardians if they have been personally affected by the breach as this information has not been released by WisePay.

What to do if you are worried about the WisePay data breach

If your data has potentially been exposed in the WisePay data breach, your children’s school or college should have been in touch with you to let you know of the risk and provide WisePay’s information about the cyber-attack.

If you have not been contacted but you believe that you may be at risk because you used the WisePay platform after 1 October, you should contact your school or college directly to find out if you have been exposed.

If there is a risk that your data has been compromised, WisePay recommends that you watch out for the following risk signs:

  • Suspicious activity on your bank account
  • Money going missing from your account
  • Receiving ransomware or fake antivirus messages
  • Browser toolbars appearing that you did not add yourself
  • Search history that you do not recognise
  • Being redirected when you make an internet search query
  • Getting regular, random pop-ups on your computer screen
  • Your friends receiving social media notifications from you that you did not send
  • Your online passwords stopping working
  • Software appearing on your computer that you do not recognise or remember installing
  • Your mouse moving apparently by itself

Additionally, if anyone contacts you asking for further personal information, be very wary about providing this. Cyber-criminals may pose as someone contacting you from your children’s school, your bank or WisePay themselves to try to scam you.

Scams following a data breach can come in various forms. The cyber-criminals may contact you to try to extract more of your personal information and use this to commit financial crime. Alternatively, they may pretend that your accounts have been compromised to convince you to transfer money to them.

Do not share any personal information or make any payments unless you are absolutely sure they are legitimate and you believe there is a valid reason to do so.

For more information about taking steps to protect yourself, take a look at our guide on what to do if your data has been stolen in a data breach.

It is also worth considering whether you may be entitled to compensation as a result of the breach. Our team at Hayes Connor will be happy to discuss this with you.

Can you claim compensation for the WisePay data breach?

If you share your personal data with an organisation, they have a legal duty to protect that data. This includes having robust cyber security measures in place to prevent cyber-attacks, such as closing any back doors in their systems that could allow cyber criminals to access your data.

If the Information Commissioner’s Office investigations concludes that WisePay’s security measures were insufficient, it may decide that the organisation has breached its data protection duties. It that is the case, anyone affected by the hack will have strong grounds for pursuing compensation.

Affected parties may be able to receive compensation even where there is no proof of harm. However, where it can be shown that the affected party suffered emotional distress or financial losses due to the data breach, they could receive more substantial damages.

How Hayes Connor can help you claim WisePay data breach compensation

Hayes Connor is one of the largest teams of data breach claims specialists in the country. We have decades of combined expertise, so if you have been affected by the WisePay data breach, we can provide advice on whether you may have grounds for a claim and the compensation you may be entitled to receive.

We aim to ensure that anyone affected by a data breach is able to get the compensation to which they are entitled, while making the claims process as straightforward and stress-free as possible.

You can find out more about our expertise and how we handle data breach claims here.

To start a claim, you can use our online claim form.

To speak to a member of our team, please do not hesitate to give us a call on 0330 041 5135.