“What actually happened remains in the dark,” complained a lawyer

Scalable Capital founders from left Erik Podzuweit, Florian Prucker and Prof. Dr. Stefan Mittnik

Scalable Capital

In mid-October, sensitive customer data at Scalable Capital fell into the wrong hands due to an insider attack.

The statement from Scalable Capital is thin and tries above all to fend off complaints from the customers concerned, says a lawyer.

Even if there was no direct financial damage, affected customers could sue. The first claims for damages are being examined by a Munich data protection organization.

Safety is a top priority – was the motto for a long time at Scalable Capital, the most successful robo-advisors in Germany with 120,000 customers. In 2018, the asset manager advertised its “certified security technology”. Now the Munich-based fintech had to admit a major security gap: There was unlawful access to identification data, tax and account numbers, as well as securities accounts from 20,000 customers.

After making this admission, Scalable tried to downplay the incident. At no time was the customer’s assets at risk, it says in one October 19th letterwhich remains vague about the background of the leak. Those affected only find out that there was no “technical security gap”, but that someone acted with “in-house knowledge”. Nevertheless, customers worry about the consequences of data theft:

<div class="sourcepoint__social-placeholder" data-embed="


External content not available

Your privacy settings prevent the loading and display of all external content (e.g. graphics or tables) and social networks (e.g. YouTube, Twitter, Facebook, Instagram etc.). To display, please activate the settings for social networks and external content in the privacy Settings.

For lawyer Peter Hense, who specializes in IT and data protection, the crisis communication leaves the impression that the company is trying to hide something. “Scalable Capital’s statement is worded so vaguely that it can be interpreted in any direction,” says Hense. “What actually happened remains in the dark.”

The lawyer believes that the letter reads as if one wanted to give affected customers as few points of contact as possible for a lawsuit due to insufficient data security. “What happened at Scalable Capital, regardless of whether it was a security breach or the result of an insider attack, shows that the company’s IT security has failed,” says Peter Hense.

The opinion is thin and diffuse

Protecting yourself from insider attacks is no less complex than fending off external hackers, explains Lars Hornuf, Professor of Financial Technology at the University of Bremen. A company can partially protect itself by only giving employees certain access, says Hornuf, whose specialty is data protection for fintechs. “But the company management will never be able to look into everyone’s heads and know the motivation of individual employees”.

Upon request, Scalable Capital announced that it had brought in external IT security experts to analyze and monitor the events. The company did not want to explain how this insider attack differs from a data breach.

Jurist Hense believes that affected customers should check their claims for damages. It is important to keep a diary of potentially lost profits and any other damage. Even if customers were not informed of any direct financial damage, a data protection violation would remain a reason for a lawsuit. That regulates them General Data Protection Regulation (GDPR) of the European Union.

The GDPR demands that those affected are informed in clear and simple language about the nature of the data protection violation. According to lawyer Hense, Scalable did not live up to this claim. The European Society for Data Protection already appeals to affected customers and offers to check claims for damages free of charge.

Share on facebook
Share on pinterest
Share on twitter
Share on linkedin
Share on email


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.