UK FCA data exfiltration prosecutions: a reminder of malicious insider risks

This is illustrated in 2025's series of FCA criminal convictions related to a boiler room fraud. These are noteworthy for their data protection and exfiltration aspects. Whilst the FCA's releases (here, here and here) are (as is typical) scant on detail, fraud was apparently perpetrated using customer data stolen from a mobile network operator:

• A mobile network operator's employee sold confidential customer data to a family friend. The employee was convicted and fined for unlawfully obtaining and disclosing personal data contrary to the Data Protection Act 2018 s.170(1). The family friend was convicted and fined for encouragement and assistance.
• This data was then likely used in a scam involving cold-calling victims to sell fake crypto investments. At least 65 investors were defrauded and lost over £1.5m. Two individuals were convicted and imprisoned for 12 years total for various relevant offences.

Financial services firms face similar risks given their substantial stores of sensitive personal data including contact information, evidence of identity and information about financial behaviours. They also have the "deepest pockets" for the FCA to pursue to provide redress.

How to mitigate this risk?  The FCA's Financial Crime Guide on data security, whilst concentrating on impersonation, nevertheless contains useful pointers on managing insider risk. So does the FCA's Cyber Coordination Group Insights series (here's the 2024 edition). Some key points to consider:

• Access and control:
  • Are your data repositories tightly permissioned? For substantial data movements, have you implemented dual control (two individuals must authorise) or appropriate segregation of duties?
  • Have you identified key staff dealing with substantial volumes of personal data?
• Other prevention measures: review Data Loss Prevention, Intrusion Detection System and Intrusion Prevention System arrangements, and include malicious insider threats in your penetration testing. Concentrate especially on:
  • Legacy systems, for which permissioning and prevention may be less precise.
  • Data flows to outsourced providers. Here, consider reviewing the adequacy of your oversight, particularly regarding their cybersecurity measures. (Oversight of outsourced providers has tripped up firms before .)
• Consider whether your incident investigation and response plans adequately enable the rapid movement from detection of data loss to timely communication with and support for impacted customers, to reduce the extent to which exfiltrated data can be successfully exploited.