Finance sector hit by cyber attacks during Covid crisis

Personal data breaches caused by cyber attacks on financial companies have surged during the Covid-19 crisis, new figures reveal, potentially exposing investors’ sensitive information to criminals. 

Between January and June, the finance, insurance and credit sector reported at least 122 cyber security incidents to the UK regulator under the General Data Protection Regulations, an increase of more than 54 per cent on the same period last year. 

Historic documents obtained by Investors Chronicle also reveal how some of the most popular trading platforms have reported personal data breaches in recent years, with interactive investor, Freetrade and Charles Stanley all declaring incidents since the introduction of GDPR in 2018.

While the finance sector has long been a prime target for hackers, the shift to remote working has introduced new vulnerabilities. In March, as companies across the UK were forced to send employees home en masse, the Financial Conduct Authority warned that criminals were exploiting the online systems which had become increasingly “mission critical” to businesses.

Documents obtained through a freedom of information request to the Information Commissioner’s Office (ICO), the data regulator, show the finance sector reported 63 fraudulent attacks known as “phishing” from January to June, compared to 37 during the same six months last year. Ransomware breaches, which demand payment after blocking access to a company’s systems, nearly doubled from six incidents to ten.

“Organisations set up remote working arrangements at pace when there wasn’t really the time to build in the relevant security,” said Jim Gee, head of forensic services at audit firm Crowe UK. While all companies were forced to adapt to the new circumstances, he added criminals also evolved, pointing to widespread reports of organised gangs shifting to cyber crime during the pandemic.

The finance sector is data-rich as well as cash-rich, so obtaining customers’ personal information provides fraudsters with an alternative route to their savings and other funds that are generally harder to steal directly. This data also has a significant intrinsic value, with streams of sensitive information sold across the dark web to be exploited again by other hackers.

Even before the pandemic, data leaks were frequent in the finance sector. Since an EU directive introduced the requirement to declare breaches likely to risk people’s “rights and freedoms” in May 2018, the industry has reported at least 1,774 incidents to the ICO – equivalent to more than two every day. The majority have more benign causes than criminal attacks, such as data being emailed to the wrong person, although the proportion of breaches linked to cyber security incidents nearly doubled in the first half compared to the same period last year, to 26 per cent.

The enforcement of GDPR across the European Union two years ago came amid growing concerns about the protection of personal data by businesses. A 2018 survey of 296 financial services firms by the FCA found only the largest had automated systems in place to spot attacks, with retail investment companies being among the least cyber resilient.

According to the documents from the ICO, an investigation was pursued after popular trading platform interactive investor (ii) reported a phishing attack to the regulator in December 2018. Freetrade, another share trading app, was also the subject of an investigation after notifying the ICO of an “unauthorised access” breach that same month. In both cases, no further regulatory action was taken.

A spokesperson for ii said this investigation was carried out internally and it found no customer data was compromised. “The security of our customers’ financial assets and accounts is of the utmost importance to us,” they added. A spokesperson for Freetrade said the firm has “robust data protection and cybersecurity measures in place” and takes its “responsibility to protect customers’ personal data seriously”. 

In total, the IC identified nine providers of trading platforms that reported personal data breaches, although a number of these were banks and fund managers who may have suffered leaks in other areas of their business. Investment manager Charles Stanley has reported 25 separate incidents over the last two years, including one related to its Charles Stanley Direct trading platform, although none of these were attributed to cyber security breaches.

Guillaume Rimbaut, data protection officer at Charles Stanley, said the company “takes data protection and client confidentiality extremely seriously”. When the EU's GDPR legislation was introduced, he added, the firm took a cautious approach to reporting, but this has since been refined and no incidents have been declared since October last year.

'Growing opportunity' for cyber security

The increasing online risks to businesses have benefitted a small handful of firms. Shares in US cyber security company Cloudflare (US:NET) have nearly quadrupled in the year to date, as organisations looked to tighten up their protection. NASDAQ-listed Zscaler (US:ZS), another information security business, has seen its stock rise more than 200 per cent over the same period.

Yoav Keren, chief executive of Israeli cyber security startup BrandShield, which plans to list on Aim next month, said there has been “a huge digital transformation this year”, with firms undergoing changes in six months that he expected to see in 20 years. The company specialises in combatting phishing attacks – the most common cyber security breach reported by the finance sector to the ICO.

Remote working has left businesses “more susceptible to all kinds of phishing attacks or fraud”, Mr Keren added. “This is where we see growth in our business and a growing opportunity to go after.”