Insider Attack on Neobroker
Author
Hannes HartungDid you hear about Scalable? I just signed up with them last week. These were the words a friend greeted me with on his way to the office at the end of October. At the time, we were not fully aware of the consequences.
After its founding, the fintech startup Scalable Capital started with a robo-advisor and used it to invest clients' capital automatically and according to their risk profile. Meanwhile, a second product has been added, and Scalable Capital launched a neobroker to make it as easy as possible for customers to acquire and manage shares, derivatives and ETFs.
A few weeks ago, there were reports of a data leak at the fintech startup. On October 19th, the company informed its customers about the data leak and the associated unlawful access to data of more than 31,000 customers.¹ Data such as contact and ID data, but also tax and account numbers could be accessed.
From data leak to blackmail
The current development of cyberattacks shows that cybercriminals now proceed in a very structured manner and usually prepare and evaluate attacks over months, sometimes even years. In the case of Scalable Capital, the attack has now culminated in the blackmailing of victims and the sale of the intercepted data. Among other things, those affected received the following worrying message:
It has come to our attention that we have personal information about you. Here you can find your data:
Other victims report receiving unsolicited messages and, in some cases, strange phone calls. Victims of this data leak will have to prepare themselves for deceptively genuine phishing emails in the coming months. Fintech companies, in particular, are increasingly being targeted by cybercriminals as they usually manage very sensitive client data. For this reason, experts’ voices are growing louder, demanding similar regulations for fintechs as for banks. For the safekeeping of funds, young fintech startups usually work together with larger banks, which BaFin anyway regulates. However, precautions should also be taken to protect customer data. Authorisations and especially access rights to such a large amount of client data should only be granted very strictly. Often enough, too many rights are assigned to employees and these are not checked regularly.
Insider attack with serious consequences
Current statistics show that insider attacks are no longer a rarity and continue to increase from year to year. For example, in a 2019 research report, PwC reported that of all companies surveyed, 40.00% had experienced insider attacks. Therefore, every company should increasingly deal with the topic of access management and educate all employees through extensive awareness campaigns. The attack on the asset manager Scalable Capital shows once again how important the cooperation between those responsible for data protection and those for information security is, and will have serious consequences for the company, including:
- Reputational damage
- Loss of customers
- Financial penalties
Dealing with data protection incidents in companies
There is, however, one piece of positive news in this case. The company reacted quickly and informed the responsible authorities and those affected shortly after it became known. A positive example of the effects of the General Data Protection Regulation and the associated higher information obligations.
¹Insider attack with extortion emails and spam calls: Data of 31,000 Scalable customers was unprotected for over six months. Business Insider. [online] https://www.businessinsider.de/wirtschaft/finanzen/insider-angriff-mit-erpressermails-und-spam-anrufen-daten-von-31-000-scalable-kunden-waren-ueber-sechs-monate-ungeschuetzt-c/ [04.11.2020].