MSE News

Credit score builder Loqbox hit by data breach

Some customers of credit history-building tool Loqbox have had personal and financial data compromised after the firm was hit by a "sophisticated and complex" cyber attack.

Loqbox is a tool which helps those with patchy credit histories build a credit score by buying a 'digital voucher' – essentially a loan – and then 'repaying' it by saving a set amount into a Loqbox account each month.

But Loqbox has now announced that it's been hit by a cyber attack, in which hackers accessed both customers' personal data – such as addresses and phone numbers – and, in some cases, their payment information.

It insists that all funds that customers have paid in are secure and have not been affected by the hack. It says customers can carry on logging into their Loqbox accounts in the usual way.

Loqbox says it discovered the attack on 20 February 2020, and has since contacted all affected customers to tell them what's happened and offer them advice on how to protect themselves – if you're affected, we've full safety tips below. We've asked Loqbox how many customers were affected by the breach, and will update this story when we hear back.

See our 30+ Ways to Stop Scams guide for information on keeping your data safe and our Credit Cards for Bad Credit guide for help on rebuilding your credit history.

What is Loqbox?

Loqbox is a tool for those whose credit histories are too limited for them to take out traditional credit products. Customers choose an amount between £20 and £200 which they can afford to save each month.

The way it works is you're then given a nominal 'loan' for 12 months' worth of your chosen amount. In actual fact, no money changes hands but you are given a Loqbox – a sort of digital voucher – which you then 'repay' by your chosen amount each month. In practice, this means you pay into a ring-fenced Lloyds savings account and will then get all the money you've paid in back at the end of the 12 months – though you don't earn any interest.

As you're effectively repaying a loan, your monthly payments are reported to all three credit reference agencies, which Loqbox says should help build your history. You can also get your savings back whenever you want penalty-free by 'unlocking' your Loqbox.

At the end of the 12 months – or before if you choose to unlock earlier – you'll be given the option of opening a new account with one of Loqbox's partners.

What data has been compromised?

Loqbox says the personal information accessed by the hackers includes some customers' names, dates of birth, postal addresses and phone numbers.

In some cases, hackers have also accessed some of the following types of financial information:

  • The first six and last four digits of a customer's 16-digit card number.
  • The customer's card expiry date.
  • The sort code used by customers to unlock their Loqbox.
  • Two digits of the bank account number used to make payments to Loqbox.

Loqbox says it's reported the incident to the police and regulatory authorities, and has taken "further steps" to improve the defences of its computer system.

I'm affected by the breach – what can I do?

Loqbox says the compromised personal data couldn't be used to access customers' bank accounts or other accounts on its own.

However, there is a chance the information could be used by criminals alongside other data to carry out phishing attacks or attempts at identity fraud, so it's important to stay vigilant.

If you're affected by the data breach, you should take the following steps to minimise the risk of being hit by fraud (see our 30+ Ways to Stop Scams guide for full help):

  • Check your bank or credit card transactions regularly. If you spot any unfamiliar or unusual activity, make sure you contact your bank immediately and let it know.

  • If worried, demand a new card. Check whether your bank or credit card firm will be routinely replacing cards affected by this breach – but if not, you can ask for a replacement card anyway.

  • Beware of 'phishing scams'. Criminals may attempt to use the news of the data breach as an opportunity to trick people affected into revealing information. Remember that no bank or any other genuine organisation will contact you out of the blue to ask for details such as your PIN or banking password, and beware of clicking on any links in text messages or emails.

    Loqbox has also reiterated that it will never call, text or email customers asking for their full bank account number or card details.
  • See if your card provider lets you get payment notifications. Some card providers, such as American Express, allow you to get notifications on your phone or tablet every time a payment is made on your card. This way, you can see instantly when a payment goes out if it's one you aren't expecting.

MSE weekly email

FREE weekly MoneySaving email

For all the latest deals, guides and loopholes simply sign up today – it's spam-free!