Fintech startup Loqbox has fessed up to suffering an "attack" which potentially revealed its customers' names, postal addresses, dates of birth, email addresses and phone numbers.
The company, which aims to help consumers improve their credit ratings, told customers that an external attack had compromised the two digits of bank account numbers used to make payments and the sort codes customers can use to unlock their savings. The first six and last four digits of customers' card numbers and expiry dates were also said to be at risk.
"We are doing everything we can to understand how this happened," the customer email - seen by us - states. "We know from our security experts that this was a sophisticated attack. We constantly monitor our systems but have now taken further steps to improve the defences of the LOQBOX computer system. We are also liaising with the relevant regulators and have reported the incident to the police."
The attack happened on 20 February after which, Loqbox said, it immediately took steps to protect personal data and hired "cyber-security experts".
Security analyst Graham Cluley said that since passwords were not compromised, they were probably stored in a database that was not accessed by the hackers, or that they had been hashed and encrypted.
"Unfortunately, the details that have been stolen are enough for various forms of fraud and scams to take place. Users should be on their guard," he said.
Loqbox works by a customer nominating a savings target and Loqbox creating an interest-free loan for that amount. As the customer pays off the loan, Loqbox reports the repayments to credit reference agencies, which then improves the customer's credit score. At the end of the year, the customer gets their money back, making the service free to consumers.
In its email, Loqbox assured customers that all funds remained "absolutely secure".
"Whilst we are deeply concerned about what has happened, the business is still functioning completely as normal," it said. Customers were less reassured.
Venting their frustration on Twitter, one apparent customer said: "I understand that following a cyber attack my bank details are now in the hand of hackers as well as my DOB, address and other personal data and you send me an email apologising!!!!!! #thanksfornothing."
Another said: "Absolute muppets can't even secure your database."
In a separate email, Loqbox told customers it was not currently offering compensation for the loss of personal data. Although it did say it was "extremely sorry".
On its website, Loqbox said it had contacted both the Information Commissioner's Office and the Financial Conduct Authority to detail the attack and its response.
A Loqbox spokesperson told The Register: "This was a sophisticated cyber-attack on our company which we are still investigating. As soon as we became aware of what had happened, we brought in cyber security experts and a specialist law firm. We now know that some personal information relating to our customers was obtained by the hacker. We are truly sorry for the worry and inconvenience this has caused and we are informing our customers about what they can do to protect themselves. No LOQBOX Funds have been affected."