Frequently asked questions
about the data protection incident
at Scalable Capital

Important note: The investigation and analysis of the data protection incident
is still ongoing.
We will update this website on an ongoing basis.

You can reach our client support team via:

Am I affected?

Clients of Scalable Capital’s investment management service are affected. If you started the opening process after 10 October 2020, you are not affected. Affected clients received a notification by email making them aware of a message on the data protection incident in the Scalable Capital mailbox on the evening of Monday 19 October.

The incident also affected former clients as well as clients who had fully completed their application, but whose portfolios were never funded.

What does this mean for me personally?

Which of my data is affected?
 

Very important: Your password is NOT affected. And you should not share this with anyone; not even with Scalable Capital or the custodian bank! A possible consequence of this data incident could be attempts to contact you to persuade you to hand over your password under false pretences.

The affected document archive, which was accessed, is used to store documents for the mailbox. You can still view these documents in your mailbox in the App or login area of the website. Documents posted to your mailbox before 11 October have been accessed.

In general, the following categories of personal data were accessed: Personal and contact data, the information provided in the course of your suitability questionnaire, data relating to the investment account (such as linked bank account, portfolio reports, security transaction statements, invoices) and tax data (such as national insurance number).

Was a specific search made for my data?
 

No. Access was made without focusing on specific individuals or groups of people.

Do I have to file a report with the police?
 

No. We have informed the relevant supervisory authorities. The relevant law enforcement authority has been involved.

If you have any indications of misuse of your data, e.g. if it becomes apparent that your data is being used without your knowledge in any way, or if you are contacted by third parties with regard to your data, you should report this to your local police authority.

Has my data been used?
 

We have received feedback from some customers of our Germany entity that they have been contacted by third parties via email using their data. Furthermore, third parties have approached journalists referencing the incident. If you are also being contacted by third parties with regard to your data, please contact us. Do not reply to the e-mail and do not provide information over the phone.

(last updated on 30 November 2020)

What should I do as a customer?
 

Pay particular attention to the general principles for the protection against cyber-crime as outlined by the Information Commissioner's Office (ICO). Pay particular attention to phishing, identity misuse, unusual account transactions or the request to disclose confidential access data like your passwords. You can find the link here: https://ico.org.uk/your-data-matters/identity-theft/

Important: Scalable Capital and no other reputable provider would ask you to disclose passwords by email or telephone.

In addition, you should:

  • Check your bank statement regularly for any unusual payments that you do not recognise.
  • Check your Experian Credit Report regularly for newly opened accounts or credit searches that you do not recognise.
  • Use strong passwords and change them regularly. Try to keep them at least eight characters long and use numbers, upper case, lower case and symbols.
  • Never give out personal details over the phone unless you are sure who you are speaking to.
  • If you think you have been a victim of fraud you should report it to Action Fraud, the UK's national fraud and internet crime reporting centre, on Tel. 0300 123 2040.

  • What are possible consequences for me?
     

    We would like to emphasise that, as a result of the incident

    • Your assets held in custody with the custodian bank have not been at risk at any time.
    • Only authorised securities orders, withdrawals or other transactions were possible at all times.
    • The confidentiality of your password to access your client area at Scalable Capital is still secure.

    • In general, the data could be used to try to induce you to engage in certain behaviour, in particular to reveal other confidential information or make payments (phishing). Furthermore, an attempt could be made to deceive third parties with your identity in order to commit fraud (identity theft). In this context, it is important to note that your assets held in safe custody with the Custodian Bank have never been and will never be at risk from this incident. Unauthorised securities trades, withdrawals or other transactions were and are not possible in connection with this incident.

      Do you offer an identity theft monitoring service?
       

      The protection of your personal information is a priority for us and we want to assure you that we are doing everything we can to minimise any risks you might face.

      As such, we are offering you 12 months of free credit and web monitoring services, provided by Experian, one of the UK’s leading Credit Reference agencies.

      To help you to monitor your personal information for certain signs of potential identity theft, we are offering you membership to Identity Plus. This service helps detect possible misuse of your personal data and provides you with identity monitoring support, focussed on the identification and resolution of identity theft.

      If you would like to take up this offer please:

      1. Ensure that you sign up for the service by 21st January 2021 (your code expires after this date).
      2. Visit the Identity Plus website to get started: https://identity.experian.co.uk/get-started/protection.
      3. Validate your unique activation code (provided via email or post).
      4. Enter your details to complete the registration
      5. Once your membership is activated, you will have access to the following features:

        • Unlimited access to your Experian Fraud Report.
        • Credit Alerting – an email or SMS to let you know when certain changes happen on your Experian Credit Report, such as the addition of a new credit search.
        • Web monitoring – an alert by email or SMS which confirms that personal information has been found on the dark web.
        • Access to Experian’s Victims of Fraud service if you do become a victim of fraud, who will support you in resolving fraud that has occurred.
        • If you are at higher risk of fraud, Experian can add protective Cifas registration to your Credit Report which can help prevent credit being taken in your name.
        • If you have any questions regarding this service, then please contact Experian’s Customer Support Centre on Tel. 03444 818182*. They are open Monday to Friday, 8am to 4pm.

          Note: Experian's Identity Plus service is provided to you directly by Experian. Any data you provide to Experian will be processed in accordance with their privacy policy.

          *Charges for calling 03 numbers are the same as for calls made to standard UK landline phone numbers starting 01 or 02. If your landline or mobile phone package means you can call an 01 or 02 number as part of 'free' inclusive minutes, the same will apply to calling our 03 numbers.

          Do I have to report this incident to my bank?
           

          Of course you can speak to your bank, where you hold the account that you have used to make deposits and withdrawals with Scalable Capital, and get advice. You should definitely inform your bank in case you notice any suspicious account activity.

          Pay particular attention to the general principles for the protection against cyber-crime as outlined by the Information Commissioner's Office (ICO). Pay particular attention to phishing, identity misuse, unusual account transactions or the request to disclose confidential access data like your passwords. You can find the link here: https://ico.org.uk/your-data-matters/identity-theft/

          Important: Scalable Capital and no other reputable provider would ask you to disclose passwords by email or telephone.

          Do third parties have access to my portfolio?
           

          No. Your password and therefore your access to Scalable Capital has never been compromised. The current balance of your account cannot be viewed. However, the mailbox contains documents (Investment Management Reports, Invoices etc) with historical information about your portfolio.

          What should I do if I am contacted by third parties with my Scalable Capital data?
           

          We advise you not to reply to the email. In particular, do not divulge any other confidential information or arrange for any payments to be made. Furthermore, you should not open any attachments or click on any links contained in the email. Make sure that you do not delete the email, as it may be required as evidence by the investigating authorities. We would also ask you to forward the email to us (support@scalable.capital) so that we can make it available to the investigating authorities.

          You should also report any such contact to Action Fraud, the UK's national fraud and internet crime reporting centre, on Tel. 0300 123 2040.

          In addition, you should promptly inform your bank, where you hold the account that you have used to make deposits and withdrawals with Scalable Capital, about the data protection incident. They can advise you on possible further measures and, if necessary, help to monitor your payment transactions.

          If you have any questions or require further information, please contact us using the details below:

          Email: support@scalable.capital
          Telephone: +44 203 750 0703

          Is my money at risk?
           

          At no time were your investments at the custodian bank at risk. The confidentiality of your password to access your client area at Scalable Capital is still secure.

          Have funds been transferred away from my portfolio?
           

          No, this is not possible. We would like to emphasise that, as a result of the incident

          • Your assets held in custody with the custodian bank have not been at risk at any time.
          • Only authorised securities orders, withdrawals or other transactions were possible at all times.
          • The confidentiality of your password to access your client area at Scalable Capital is still secure.
          • Can third parties buy or sell securities or ETFs in my portfolio?
             

            No, this is not possible. We would like to emphasise that, as a result of the incident

            • Your assets held in custody with the custodian bank have not been at risk at any time.
            • Only authorised securities orders, withdrawals or other transactions were possible at all times.
            • The confidentiality of your password to access your client area at Scalable Capital is still secure.
            • I am not a customer (anymore). Why am I affected?
               

              The access was undertaken without focusing on specific individuals or groups of persons. The data of former customers as well as customers who have completed the registration process, but have not deposited any money, were also accessed. We are required to retain this information for legal/regulatory purposes.

              To access your mailbox to read the letter containing full details of the data protection incident, please go to www.scalable.capital. Under "LOGIN" you can login using your email address and original password. If you have forgotten your password, you can reset it using this link: https://uk.scalable.capital/reset-password

              I have closed my account. Why am I affected?
               

              The access was carried out without focusing on specific individuals or groups of persons. In addition to documents from customers, documents from former customers are also affected. Even if you are no longer our customer, data may have been accessed which we are required to store for legal/regulatory reasons.

              To access your mailbox to read the letter containing full details of the data protection incident, please go to www.scalable.capital. Under "LOGIN" you can login using your email address and original password. If you have forgotten your password, you can reset it using this link: https://uk.scalable.capital/reset-password

              Will I receive financial compensation?
               

              Due to the ongoing investigations into the facts of the case, we are currently unable to make any statement on possible compensatory payments. We are monitoring the situation closely and working with relevant authorities in this regard.

              Further information on the incident

              What exactly happened?
               

              According to our current knowledge, a subset of documents stored in our digital document archive has been unlawfully accessed. This unlawful access to the archive concerned was carried out making use of privileged and restricted information which is only available via appropriately secured access points. Our current knowledge is that access was not carried out by exploiting a technical security gap that could be directly exploited from outside of the company.

              When was the incident discovered at Scalable Capital?
               

              On Friday, 16 October 2020.

              When was the data accessed?
               

              Documents were accessed that were placed in our digital data archive before 11 October 2020. The unauthorised access took place on two dates between August and October 2020.

              How did you notice the access?
               

              We were able to assign a single case of attempted but unsuccessful identity theft to a specific document in our archive that was accessed. Thereafter, a comprehensive analysis was carried out in which all affected customers and documents could be identified.

              How many customers are affected?
               

              The access was undertaken without focusing on specific individuals or groups of persons. Approximately seven hundred active customers are affected. The data of former customers as well as customers who have completed the registration process, but have not deposited any money, were also accessed (a total of another one thousand).

              Can my data still be accessed today?
               

              No. We have technically made sure that unlawful access to your data is no longer possible.

              What measures have Scalable Capital taken?
               

              We immediately took all necessary measures to prevent further illegal access to the digital document archive. The matter is currently being further analysed, documented and continuously monitored. For this purpose, we have also called in external experts for information and IT security. We have also informed the relevant supervisory authorities.

              Has Scalable Capital informed the authorities?
               

              Yes, the competent supervisory authorities have been informed. The relevant law enforcement authority has been involved.

              What safeguards are in place at Scalable Capital?
               

              We immediately took all necessary measures to prevent further illegal access to the digital document archive. For this purpose, we have also called in external experts for information and IT security. Your assets held in custody with the custodian bank have not been at risk at any time. Only authorised securities orders, withdrawals or other transactions were possible at all times. The confidentiality of your password to access your client area at Scalable Capital is still secure.