Cyber Incident Victim: Scalable Capital
Date:
Oct 2020
Location:
Germany
Summary
A digital wealth management firm experienced a significant data breach involving unauthorized access to its document archive, compromising sensitive customer information. The exposed data included personal and contact details, investment account specifics such as bank account numbers, portfolio reports, transaction statements, and invoices, along with tax-related information like national insurance numbers. The organization confirmed customer assets and login credentials remained secure throughout the incident. All necessary security measures were implemented following the breach, with relevant supervisory authorities notified of the unauthorized access to the document storage system.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around October 19, 2020, Scalable Capital, a digital wealth management firm, detected unauthorized access to its systems, leading to a significant data breach. The company formally notified customers of the incident via written communication on the evening of October 19, as confirmed by documentation reviewed by financial news outlet AltFi. Attackers gained unlawful entry to a subset of documents housed within Scalable Capital's digital document archive infrastructure. The compromised records contained multiple categories of sensitive client information, including personal identification details, contact information, and investment account documentation. Specifically exposed data encompassed bank account linkages, portfolio performance reports, security transaction statements, billing invoices, and tax-related information such as national insurance numbers. Scalable Capital initiated regulatory compliance protocols by promptly notifying relevant data protection supervisory authorities about the security incident, though specific regulatory bodies were not named in public disclosures.
The breach exposed clients to potential financial fraud and identity theft risks due to the sensitivity of the compromised tax identifiers and banking information. Scalable Capital's notification emphasized that customer investment assets held with their custodian banking partners remained secure throughout the incident, with no unauthorized access to these holdings. The company also confirmed that user credentials for accessing client portals retained their confidentiality, indicating no evidence of password system compromise. In response to the breach, Scalable Capital implemented undisclosed security measures described as "necessary" without technical specification. The organization maintained ongoing incident response activities as the situation evolved, though no details regarding forensic investigation methods, attacker attribution, or system remediation timelines were provided to customers. Impact assessment remained limited to confirmation of document archive exposure without public disclosure of total affected individuals or geographic distribution of compromised records.