Cyber Incident Victim: Loqbox

On February 20, 2020, UK-based fintech startup Loqbox suffered a cybersecurity incident described by the company as a "sophisticated attack." The breach exposed customer personal information including names, postal addresses, dates of birth, email addresses, and phone numbers. Financial data was partially compromised, with attackers accessing the first six and last four digits of payment card numbers, card expiry dates, two digits of bank account numbers used for payments, and sort codes required to unlock customer savings. Loqbox confirmed customer passwords remained secure, either due to their absence in the compromised systems or protective measures like hashing and encryption. The company detected the intrusion on the day of the attack and immediately implemented protective measures for personal data while engaging cybersecurity experts to investigate.

Loqbox notified affected customers via email within days, acknowledging the breach and its potential consequences for fraud susceptibility while emphasizing that no customer funds were compromised. The startup reported the incident to UK authorities including the Information Commissioner's Office, Financial Conduct Authority, and police. Internal response measures included enhanced system monitoring and strengthened computer system defenses. Customer backlash emerged on social media platforms, with individuals criticizing the exposure of sensitive data and expressing dissatisfaction with the lack of compensation offers. Loqbox maintained normal business operations throughout the incident, reiterating that its core service—which helps users build credit scores through managed savings—remained fully functional. The company's public statements emphasized ongoing investigations and regret for customer inconvenience without admitting specific operational failures or detailing technical aspects of the attack methodology.