Frequently asked questions
about the data protection incident
at Scalable Capital

Important note: The following FAQ represent the results of our investigations to date. Should we conclude further findings on the data protection incident, we will update this website accordingly.

You can reach our client support team via:

Am I affected?

Clients of Scalable Capital’s investment management service are affected. If you started the opening process after 10 October 2020, you are not affected. Affected clients received a notification by email making them aware of a message on the data protection incident in the Scalable Capital mailbox on the evening of Monday 19 October.

The incident also affected former clients as well as clients who had fully completed their application, but whose portfolios were never funded.

Customers who had not fully completed and submitted their onboarding are not affected.

(last updated on 01.06.2021)

What does this mean for me personally?

Which of my data is affected?
 

Very important: Your password is NOT affected. And you should not share this with anyone; not even with Scalable Capital or the custodian bank! A possible consequence of this data incident could be attempts to contact you to persuade you to hand over your password under false pretences.

The document archive contained customer data in the form of PDF documents. These documents primarily contained customer data from the application and registration process, as well as certain documents from the ongoing customer relationship.

The affected document archive, which was accessed, is used to store documents for the mailbox. You can still view these documents in your mailbox in the App or login area of the website. Documents posted to your mailbox before 11 October have been accessed. The retention of these documents serves in particular to fulfill legal and regulatory obligations to which Scalable Capital is subject as a financial services provider.

In general, the following categories of personal data were accessed: Personal and contact data, the information provided in the course of your suitability questionnaire, data relating to the investment account (such as linked bank account, portfolio reports, security transaction statements, invoices) and tax data (such as national insurance number).

(last updated on 01.06.2021)

Was a specific search made for my data?
 

No. Access was made without focusing on specific individuals or groups of people.

Do I have to file a report with the police?
 

No. We have informed the relevant supervisory authorities. The relevant law enforcement authority has been involved.

If you have any indications of misuse of your data, e.g. if it becomes apparent that your data is being used without your knowledge in any way, or if you are contacted by third parties with regard to your data, you should report this to your local police authority.

Has my data been used?
 

We have received feedback from some customers of our Germany entity that they have been contacted by third parties via email using their data. Furthermore, third parties have approached journalists referencing the incident. If you are also being contacted by third parties with regard to your data, please contact us. Do not reply to the e-mail and do not provide information over the phone.

(last updated on 30 November 2020)

What should I do as a customer?
 

Pay particular attention to the general principles for the protection against cyber-crime as outlined by the Information Commissioner's Office (ICO). Pay particular attention to phishing, identity misuse, unusual account transactions or the request to disclose confidential access data like your passwords. You can find the link here: https://ico.org.uk/your-data-matters/identity-theft/

Important: Scalable Capital and no other reputable provider would ask you to disclose passwords by email or telephone.

In addition, you should:

  • Check your bank statement regularly for any unusual payments that you do not recognise.
  • Check your Experian Credit Report regularly for newly opened accounts or credit searches that you do not recognise.
  • Use strong passwords and change them regularly. Try to keep them at least eight characters long and use numbers, upper case, lower case and symbols.
  • Never give out personal details over the phone unless you are sure who you are speaking to.
  • If you think you have been a victim of fraud you should report it to Action Fraud, the UK's national fraud and internet crime reporting centre, on Tel. 0300 123 2040.

  • What are possible consequences for me?
     

    We would like to emphasise that, as a result of the incident

    • Your assets held in custody with the custodian bank have not been at risk at any time.
    • Only authorised securities orders, withdrawals or other transactions were possible at all times.
    • The confidentiality of your password to access your client area at Scalable Capital is still secure.

    • Unfortunately, it is in the nature of data protection incidents that, using the data affected by the access, an unlawful attempt could potentially be made to induce customers to behave in certain ways, in particular to disclose further confidential information or to initiate payments. Therefore, it cannot be ruled out that an attempt could be made to deceive third parties with your data.

      In this context, it is important to note that access to the databases and other systems separate from the document archive, and in particular to customer passwords, was not possible at any time, and that your assets held in safe custody at the Custodian Bank were not and are not at risk at any time as a result of the incident.

      (last updated on 01.06.2021)

      Do you offer an identity theft monitoring service?
       

      The protection of your personal information is a priority for us and we want to assure you that we are doing everything we can to minimise any risks you might face.

      As such, we are offering you 12 months of free credit and web monitoring services, provided by Experian, one of the UK’s leading Credit Reference agencies.

      To help you to monitor your personal information for certain signs of potential identity theft, we are offering you membership to Identity Plus. This service helps detect possible misuse of your personal data and provides you with identity monitoring support, focussed on the identification and resolution of identity theft.

      If you would like to take up this offer please:

      1. Visit the Experian website to get started: https://www.experian.co.uk/consumer/which-product-is-right-for-me.html
      2. Enter your details to complete the registration
      3. Provide proof of purchase to Client Services via support@scalable.capital

      Once your membership is activated, you will have access to the following features:

      • Unlimited access to your Experian Fraud Report.
      • Credit Alerting – an email or SMS to let you know when certain changes happen on your Experian Credit Report, such as the addition of a new credit search.
      • Web monitoring – an alert by email or SMS which confirms that personal information has been found on the dark web.
      • Access to Experian’s Victims of Fraud service if you do become a victim of fraud, who will support you in resolving fraud that has occurred.
      • If you are at higher risk of fraud, Experian can add protective Cifas registration to your Credit Report which can help prevent credit being taken in your name.

      If you have any questions regarding this service, then please contact Experian’s Customer Support Centre on Tel. 03444 818182*. They are open Monday to Friday, 8am to 4pm.

      Note: Experian's Identity Plus service is provided to you directly by Experian. Any data you provide to Experian will be processed in accordance with their privacy policy.

      *Charges for calling 03 numbers are the same as for calls made to standard UK landline phone numbers starting 01 or 02. If your landline or mobile phone package means you can call an 01 or 02 number as part of 'free' inclusive minutes, the same will apply to calling our 03 numbers.

      Do I have to report this incident to my bank?
       

      Of course you can speak to your bank, where you hold the account that you have used to make deposits and withdrawals with Scalable Capital, and get advice. You should definitely inform your bank in case you notice any suspicious account activity.

      Pay particular attention to the general principles for the protection against cyber-crime as outlined by the Information Commissioner's Office (ICO). Pay particular attention to phishing, identity misuse, unusual account transactions or the request to disclose confidential access data like your passwords. You can find the link here: https://ico.org.uk/your-data-matters/identity-theft/

      Important: Scalable Capital and no other reputable provider would ask you to disclose passwords by email or telephone.

      Do third parties have access to my portfolio?
       

      No. Your password and therefore your access to Scalable Capital has never been compromised. The current balance of your account cannot be viewed. However, the mailbox contains documents (Investment Management Reports, Invoices etc) with historical information about your portfolio.

      What should I do if I am contacted by third parties with my Scalable Capital data?
       

      We advise you not to reply to the email. In particular, do not divulge any other confidential information or arrange for any payments to be made. Furthermore, you should not open any attachments or click on any links contained in the email. Make sure that you do not delete the email, as it may be required as evidence by the investigating authorities. We would also ask you to forward the email to us (support@scalable.capital) so that we can make it available to the investigating authorities.

      You should also report any such contact to Action Fraud, the UK's national fraud and internet crime reporting centre, on Tel. 0300 123 2040.

      In addition, you should promptly inform your bank, where you hold the account that you have used to make deposits and withdrawals with Scalable Capital, about the data protection incident. They can advise you on possible further measures and, if necessary, help to monitor your payment transactions.

      If you have any questions or require further information, please contact us using the details below:

      Email: support@scalable.capital
      Telephone: +44 203 750 0703

      Is my money at risk?
       

      At no time were your investments at the custodian bank at risk. The confidentiality of your password to access your client area at Scalable Capital is still secure.

      Have funds been transferred away from my portfolio?
       

      No, this is not possible. We would like to emphasise that, as a result of the incident

      • Your assets held in custody with the custodian bank have not been at risk at any time.
      • Only authorised securities orders, withdrawals or other transactions were possible at all times.
      • The confidentiality of your password to access your client area at Scalable Capital is still secure.
      • Can third parties buy or sell securities or ETFs in my portfolio?
         

        No, this is not possible. We would like to emphasise that, as a result of the incident

        • Your assets held in custody with the custodian bank have not been at risk at any time.
        • Only authorised securities orders, withdrawals or other transactions were possible at all times.
        • The confidentiality of your password to access your client area at Scalable Capital is still secure.
        • I am not a customer (anymore). Why am I affected?
           

          The access was undertaken without focusing on specific individuals or groups of persons. The data of former customers as well as customers who have completed the registration process, but have not deposited any money, were also accessed. We are required to retain this information for legal/regulatory purposes.

          To access your mailbox to read the letter containing full details of the data protection incident, please go to www.scalable.capital. Under "LOGIN" you can login using your email address and original password. If you have forgotten your password, you can reset it using this link: https://uk.scalable.capital/reset-password

          I have closed my account. Why am I affected?
           

          The access was carried out without focusing on specific individuals or groups of persons. In addition to documents from customers, documents from former customers are also affected. Even if you are no longer our customer, data may have been accessed which we are required to store for legal/regulatory reasons.

          To access your mailbox to read the letter containing full details of the data protection incident, please go to www.scalable.capital. Under "LOGIN" you can login using your email address and original password. If you have forgotten your password, you can reset it using this link: https://uk.scalable.capital/reset-password

          Please note that post-contractual documents will still be provided by the Custodian Bank and Scalable Capital (such as the annual tax certificate or ex-post cost information). You can continue to access these documents in your electronic mailbox until the applicable retention periods expire. Upon request, you can also have your access closed completely before then.

          (last updated on 01.06.2021)

          Will I receive financial compensation?
           

          This is not intended. We have been the victim of a cyber attack by criminal actors who are currently still unknown to us. For the attack, they used illegally obtained internal company access information that was only available via secure access points. There was no overcoming of security precautions or a "hacking" of our systems. After a thorough investigation of the facts, it could not be established that we bear responsibility for this attack. Thus, there is no basis to claim damages from Scalable Capital. However, we would like to point out that possible claims for damages against the actors responsible for the data protection incident may be possible.

          (last updated on 01.06.2021)

          What can I do against spam?
           

          Important: No reputable provider would ask you to disclose confidential data by e-mail or telephone.
          Hang up on unwanted calls, use the block function on your phone and, if necessary, have the caller's number blocked by your network operator. Mark unsolicited emails as spam/junk. Do not click on links or attachments under any circumstances.

          (last updated on 01.06.2021)

          Further information on the incident

          What exactly happened?
           

          Scalable Capital was the victim of a cyberattack in 2020 in which Scalable Capital documents were illegally accessed. These documents were stored in a digital document archive. This document archive was accessed using illegally obtained internal company access information, which was only available via secure access points. Access was not carried out by exploiting a technical security gap that could be directly exploited from outside of the company.

          (last updated on 01.06.2021)

          When was the incident discovered at Scalable Capital?
           

          On Friday, 16 October 2020.

          When was the data accessed?
           

          Documents were accessed that were placed in our digital data archive before 11 October 2020. The unauthorised access took place on two dates between August and October 2020.

          How did you notice the access?
           

          The access came to light in the course of a specific customer inquiry, which provided initial indications in this respect. An extensive analysis was carried out immediately, during which it was possible to narrow down all the persons and documents concerned.

          (last updated on 01.06.2021)

          How many customers are affected?
           

          The access was undertaken without focusing on specific individuals or groups of persons. Approximately eight hundred active customers are affected. The data of former customers as well as customers who have completed the registration process, but have not deposited any money, were also accessed (a total of another nine hundred).

          Can my data still be accessed today?
           

          No. We have technically made sure that unlawful access to your data is no longer possible.

          What measures have Scalable Capital taken?
           

          We immediately took all necessary measures to rule out the possibility of further unlawful access to the digital document archive using the compromised information. The incident was analyzed and comprehensively evaluated in collaboration with external experts for information and IT security. In addition, we informed the relevant supervisory authorities. We filed a criminal complaint and, as a result, an investigation was initiated. We also immediately informed affected and unaffected customers and the public about the incident. At the same time, it was already pointed out at that time that Scalable Capital would comprehensively investigate the incident, which was also done.

          In parallel, Scalable Capital identified and implemented further measures together with external IT experts to meet future challenges of the increasingly demanding overall cyber security situation. It should be noted, however, that the risk of cyber attacks can never be completely ruled out.

          (last updated on 01.06.2021)

          Has Scalable Capital informed the authorities?
           

          Yes, the competent supervisory authorities have been informed. The relevant law enforcement authority has been involved.

          What data security safeguards are in place at Scalable Capital?
           

          The data stored in the document archive was and is permanently encrypted using a highly effective encryption process to protect it from unauthorized access. During the data protection incident, however, no technical precautions were overcome to access the customer data in the document archive; instead, the documents were accessed using illegally obtained internal company access information that was only available via secure access points (and that enabled access and decryption of the data).
          We immediately took all necessary measures to prevent further illegal access to the digital document archive. For this purpose, we have also called in external experts for information and IT security. Your assets held in custody with the custodian bank have not been at risk at any time. Only authorised securities orders, withdrawals or other transactions were possible at all times. The confidentiality of your password to access your client area at Scalable Capital is still secure.

          (last updated on 01.06.2021)

          Have you been hacked? Does the vulnerability still exist?
           

          No. According to the current state of knowledge, access was not gained by exploiting a technical security vulnerability that could be directly exploited from the outside. The archive in question was accessed using illegally obtained internal company access information that was only available via secure access points.

          (last updated on 01.06.2021)