- with Finance and Tax Executives
- with readers working within the Securities & Investment industries
Data exfiltration via cyberattack is top-of-mind for financial services firms. Regulatory attention is primarily focused on the risk of impersonation to misappropriate funds, but there are two other angles firms would do well to consider: data exfiltration by a malicious insider, and subsequent use of that data in investment fraud.
This is illustrated in 2025's series of FCA criminal convictions related to a boiler room fraud. These are noteworthy for their data protection and exfiltration aspects. Whilst the FCA's releases (here, here and here) are (as is typical) scant on detail, fraud was apparently perpetrated using customer data stolen from a mobile network operator:
- A mobile network operator's employee sold confidential customer data to a family friend. The employee was convicted and fined for unlawfully obtaining and disclosing personal data contrary to the Data Protection Act 2018 s.170(1). The family friend was convicted and fined for encouragement and assistance.
- This data was then likely used in a scam involving cold-calling victims to sell fake crypto investments. At least 65 investors were defrauded and lost over £1.5m. Two individuals were convicted and imprisoned for 12 years total for various relevant offences.
Financial services firms face similar risks given their substantial stores of sensitive personal data including contact information, evidence of identity and information about financial behaviours. They also have the "deepest pockets" for the FCA to pursue to provide redress.
How to mitigate this risk? The FCA's Financial Crime Guide on data security, whilst concentrating on impersonation, nevertheless contains useful pointers on managing insider risk. So does the FCA's Cyber Coordination Group Insights series (here's the 2024 edition). Some key points to consider:
- Access and control:
- Are your data repositories tightly permissioned? For substantial data movements, have you implemented dual control (two individuals must authorise) or appropriate segregation of duties?
- Have you identified key staff dealing with substantial volumes of personal data?
- Other prevention measures: review Data Loss Prevention,
Intrusion Detection System and Intrusion Prevention System
arrangements, and include malicious insider threats in your
penetration testing. Concentrate especially on:
- Legacy systems, for which permissioning and prevention may be less precise.
- Data flows to outsourced providers. Here, consider reviewing the adequacy of your oversight, particularly regarding their cybersecurity measures. (Oversight of outsourced providers has tripped up firms before .)
- Consider whether your incident investigation and response plans adequately enable the rapid movement from detection of data loss to timely communication with and support for impacted customers, to reduce the extent to which exfiltrated data can be successfully exploited.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
