Cyber Incident Victim: Pepperstone

On or around July 14, 2020, Pepperstone, a multi-regulated foreign exchange and contracts for difference (CFD) broker, experienced a data security breach originating from a third-party vendor. Cybercriminals deployed malware to compromise the vendor’s computers, obtaining credentials that provided access to Pepperstone’s internal client relationship management (CRM) system. The attackers leveraged these stolen credentials to infiltrate the CRM, though the company detected and halted the intrusion before further escalation. The breach resulted in unauthorized access to personal information belonging to a subset of Pepperstone’s clients. The company initiated an investigation promptly after discovering the incident, focusing on the vendor’s compromised systems as the entry point. Pepperstone confirmed the attackers did not penetrate its core trading platforms or financial systems, limiting the operational impact to client data exposure through the CRM.

Pepperstone notified affected clients of the breach within approximately one week, disclosing the third-party vendor’s role and the malware-based credential theft. The company emphasized transparency in its communications, assuring clients that no financial data or trading accounts were compromised. Industry observers noted Pepperstone’s proactive disclosure as atypical within the financial sector, with one commentator highlighting it as the first instance in their 29-year career where a firm openly admitted a data leak without external pressure. The incident underscored risks associated with third-party vendor access to internal systems, though Pepperstone did not publicly identify the vendor or specify the exact number of affected clients. Containment efforts included revoking the compromised credentials and securing the CRM system to prevent further unauthorized access. No additional attacker actions or post-breach exploitation of the stolen data were reported in the immediate aftermath.