News that no one wants to hear – investors don’t, founders don’t, and managers don’t. Last Monday it was announced that the digital asset manager scalable capital has come to a data leak. Founder Erik Podzuweit went on the offensive and informed that around 20,000 customers were affected by the leak. A fifth of the customers were affected. However, those from the partnership with ING or other cooperation partners were not affected.
Nevertheless, the customers were alarmed. The effects were not long in coming: Within a very short time, neither the website nor the app could be accessed – system overload!
Show signs: internal and illegal action
SuperGAU, or just a storm in a teacup? Munich-based Robo Scalable Capital responded quickly, sending information to their clients and clarifying that “a partial stock of documents had been unlawfully accessed”.
Someone had gained access to contact data, identification data, tax numbers, securities statements and account numbers. Customers must deposit a reference account with Scalable Capital at another bank. However, the attacker could not read the customers’ passwords, the company explained. Some of the data was sensitive, such as the tax identification number and the securities account values.
The Munich public prosecutor’s office is involved
The company excludes a hacker attack, because it is further said: The access to the affected archive was carried out with the help of internal company knowledge which is only available through correspondingly secured accesses. In the meantime, the financial supervisory authority Bafin, the data protection authority of Bavaria, the Bundesbank and the public prosecutor’s office have been involved. The company immediately initiated the preliminary proceedings.
Hacker attacks, data leaks and access to customer data occur again and again, especially the financial sector is always a popular target for IT hackers. Even experts keep sounding the alarm. It is not the first time that sensitive data has been hacked, the last time it hit Mastercard, among others, hard in 2019.
How does the Payment & Banking team assess the data leakage at Scalable? Just a storm in a teacup or what are the consequences of the incident at Munich Robo-Advisor?
André M. Bajorat
WTF was my thought too. And at the same time I asked myself what could happen with my own depot at Scalable. But the answers Scalable gave me in the very clear and open communication calmed me down at first. The exciting question will be if someone will try other things with the stolen data. Time will tell. Unfortunately one can probably protect oneself against internal attacks even worse than against external ones.
Maik Klotz
Stupid and annoying, but the more important message is: It is not a data leak. No data was taken from outside, there was no external security breach. The data leak was probably a data theft. That shouldn’t happen either, but it’s completely different than when data is taken from outside through a security hole. The communication to the outside was exemplary. A Fintech who understood how crisis communication works. Scalable will come through this crisis just fine, I’m convinced of that.
Christina Cassala
The very big outcry in the industry has so far failed to materialize. The media have gratefully taken up the topic, because data theft or leakage always sounds like a scandal and many bounced customers. But as the situation currently shows, the big scandal has so far failed to materialize, because the founders have communicated calmly and transparently. It is an example of how important and right it is to present oneself authentically as a founder, to admit and emphasize breakdowns, and to work at full speed to fix them. Other players in the industry could get a slice of this. Customers must not be forgotten, but must be made to know about it.
Kilian Thalhammer
Data topics are always relevant – so rarely a storm in a teacup. However, we must not fall into the thought “This is a startup – it was obvious that this would happen”. Everyone should rather reflect on what could happen “in their own shop”.
The “kind of data” scares me a little, especially when you see in context how the one or other outcry is there, when it is “only” about “cc” data. As an end user, the damage is manageable, because I can quickly lock them as an end user.
Data thefts are unfortunately becoming more common – and often the enemy comes from within – very difficult to manage, especially in order not to “punish” the whole organization and then possibly also get a competitive disadvantage. So I wish the founder Erik Podzuweit good sense of proportion and focus (and the fading out of the smart_guy….).