The first shock for many Scalable Capital customers came shortly after 9 p.m. on Monday: “Notification of data protection incident” was a brief e-mail from the asset manager. You have to log into your account for more information. The second shock followed immediately afterwards: the registration on the website or app did not work. The system was overloaded because too many customers wanted to see what was wrong with their money.
It is now clear that no money has been lost. But the company from Munich had to admit a breach of trust: It was “illegally accessed a subset of documents”, it says in the customer information. Someone has gained access to contact details, ID data, tax numbers, securities statements and account numbers. With Scalable Capital, customers must set up a reference account with another bank. However, the attacker could not read the customers’ passwords, explained Scalable Capital. In the meantime, the data concerned have also been secured against unauthorized access.
Such an amount of financial data from citizens is a treasure trove for fraudsters who want to use them to impersonate the victims on other websites in order to enrich themselves or otherwise cause damage at their own expense. The company warns: “In general, the data could be used to try to induce certain behavior, in particular to disclose further confidential information or to induce payments.”
However, according to Scalable Capital, hackers who sought their victims remotely were not to blame. Nobody had infiltrated a “technical security gap that could be exploited directly from the outside”. The attack came from inside the company. The perpetrator or perpetrators “obtained the data with the aid of company-internal knowledge that is only available via appropriately secured access”. IT experts call this an insider attack.
A preliminary investigation had been initiated, the company said. A spokeswoman did not want to say whether an employee was specifically suspected or whether there were several people. According to its own statements, the company has informed the financial supervisory authority Bafin, the Bavarian data protection authority, the Bundesbank and the public prosecutor’s office.
With more than two billion euros in customer money under management and more than 100,000 customers, Scalable Capital is the market leader among robo-advisors who automatically invest money from investors. The financial start-ups usually use algorithms to buy and sell stocks and bonds as profitably as possible. Most of the time, they invest money through index funds in stocks or bonds – depending on how much risk customers want to take.
Among other things, the financial group Blackrock has bought into Scalable Capital. Blackrock, Holtzbrinck Ventures and Tengelmann Ventures only invested another 50 million euros in July. And this despite the fact that some customers accused Scalable Capital of selling shares too late after the Corona crash in spring and buying them again too late.
According to the company, anyone who would like to find out more about their individual case should contact the address firstname.lastname@example.org.