In mid-October, sensitive customer data at Scalable Capital fell into the wrong hands due to an insider attack.
The statement from Scalable Capital is thin and tries above all to fend off complaints from the customers concerned, says a lawyer.
Even if there was no direct financial damage, affected customers could sue. The first claims for damages are being examined by a Munich data protection organization.
Safety is a top priority – was the motto for a long time at Scalable Capital, the most successful robo-advisors in Germany with 120,000 customers. In 2018, the asset manager advertised its “certified security technology”. Now the Munich-based fintech had to admit a major security gap: There was unlawful access to identification data, tax and account numbers, as well as securities accounts from 20,000 customers.
After making this admission, Scalable tried to downplay the incident. At no time was the customer’s assets at risk, it says in one October 19th letterwhich remains vague about the background of the leak. Those affected only find out that there was no “technical security gap”, but that someone acted with “in-house knowledge”. Nevertheless, customers worry about the consequences of data theft:
For lawyer Peter Hense, who specializes in IT and data protection, the crisis communication leaves the impression that the company is trying to hide something. “Scalable Capital’s statement is worded so vaguely that it can be interpreted in any direction,” says Hense. “What actually happened remains in the dark.”
The lawyer believes that the letter reads as if one wanted to give affected customers as few points of contact as possible for a lawsuit due to insufficient data security. “What happened at Scalable Capital, regardless of whether it was a security breach or the result of an insider attack, shows that the company’s IT security has failed,” says Peter Hense.
The opinion is thin and diffuse
Protecting yourself from insider attacks is no less complex than fending off external hackers, explains Lars Hornuf, Professor of Financial Technology at the University of Bremen. A company can partially protect itself by only giving employees certain access, says Hornuf, whose specialty is data protection for fintechs. “But the company management will never be able to look into everyone’s heads and know the motivation of individual employees”.
Upon request, Scalable Capital announced that it had brought in external IT security experts to analyze and monitor the events. The company did not want to explain how this insider attack differs from a data breach.
Jurist Hense believes that affected customers should check their claims for damages. It is important to keep a diary of potentially lost profits and any other damage. Even if customers were not informed of any direct financial damage, a data protection violation would remain a reason for a lawsuit. That regulates them General Data Protection Regulation (GDPR) of the European Union.
The GDPR demands that those affected are informed in clear and simple language about the nature of the data protection violation. According to lawyer Hense, Scalable did not live up to this claim. The European Society for Data Protection already appeals to affected customers and offers to check claims for damages free of charge.