Wisepay: School payments service hit by cyber-attack

Parents who made payments to UK schools in recent days via the Wisepay service have been warned their card details have been compromised.

Wisepay said a hack of its website meant an attacker was able to harvest payment details between 2 and 5 October via a spoof page.

Attempted payments to about 300 schools have been affected by the scam.

But the firm said only a small number of the pupils' parents would have used its system before it was taken offline.

Its managing director said this was because the type of cashless payments made - covering things like exam fees and school meals - would not be done on a daily basis.

"Actually, it's quite a small subset of users of the platform," insisted Richard Grazier.

The attack occurred on a Friday night and was not noticed until the following Monday morning at 10:00 BST.

At that point Wisepay's website was taken down, Mr Grazier said.

It had since come back online and was now safe to use, he added.

Mr Grazier said the hacker had managed to find a "backdoor" into the system's database and had modified one page.

As a result, when users clicked to make a payment, they were redirected to an external page controlled by the attacker.

This was "spoofed" to look like a legitimate payment page - but anyone who entered their debit or credit card details was effectively sending them to the cyber-criminal.

Wisepay said it does not store any payment information itself and had not leaked any of its own records.

But in a letter to schools, it recommended that parents who thought they might been affected should pause or cancel their bank cards, and change any online banking passwords.

The Information Commissioner's Office said Wisepay had notified it of "a potential data breach and we will be making further enquiries".

The firm also said it had contacted the police and had "engaged a computer forensics expert" whose work was ongoing.