General News

WisePay Data Breach

UPDATE 08/10/20 11:00am

WisePay are sending emails to all affected customers with a secure download link containing the lists of affected users. 
These are customers who used a payment card between Friday 2nd and Monday 5th October.

We recommend that the WisePay letter for imacted parents/carers is sent out, possibly with a school cover letter. I would additionally advise people to check card and bank statements for time of transactions and be prepared to cancel cards or at least contact their financial institutions for further advice.

I have been assured by the Managing Director of WisePay that the site is back up with additional security measures in place, including requiring all users to reset their password.


WisePay has suffered from a "URL manipulation" breach, where users were, it seems sent to a spoofed card payment page, replicating the SagePay system.

In response, the entire website has been taken down to protect users, with of course the consequence that parents are unable to use WisePay for meals/trips etc.

The attack is reported to have started on Friday 2nd October, with the site unavailable sometime on Monday 5th October. Anyone using this site at this time may have had the following information unlawfully accessed:

  • Name of the cardholder;
  • Payment card number;
  • Card expiry date and CVC number.

WisePay have contacted schools in order to relay the information to affected parents. If your school uses WisePay have not heard from them, get in touch with them and please let us know too.

DPE has contacted WisePay to ask what response they are making to affected individuals. We will update this page with any further information when we have it.

WisePay removed the site as a pre-emptive move to prevent any further users adding details onto the spoof website. They have reported the incident to the Information Commissioner's Office and the National Cyber Crime Agency.

From a data protection point of view, WisePay are a data processor - they process the request for payment on your behalf. An additional data controller also exists here: SagePay, who are responsible for the credit card information collected from parents. SagePay has not been breached, rather users were somehow redirected to a lookalike site from WisePay, therefore the responsibility for information affected data subjects sits with the data controller.

WisePay has reported this incident to the Information Commissioner's Office. We are checking with the ICO as to whether they require breach reports from individual data controllers.