News & Resources

Pepperstone Data Breach – Cybercriminals Access Client Data

  • Posted on

International online currency exchange broker Pepperstone informed customers of a breach of its systems that resulted in customers’ personal data being obtained by cybercriminals.

The breach is believed to have occurred around 20 July 2020, with Pepperstone claiming they quickly detected and stopped the cybercriminals from accessing their systems. However, some clients’ personal information had already been accessed by this point.

Pepperstone informed their clients by email of the breach by 27 July 2020. By this point, a number of clients had already been contacted by cybercriminals using the stolen data.

These contacts took the form of the criminals either impersonating Pepperstone or pretending to be third parties claiming that the broker had closed down. Clients contacted by the cybercriminals were asked to transfer their funds to a different account or, in some cases, to download a remote desktop viewer.

A Pepperstone spokesperson gave a statement, saying:

The incident was contained and the source identified, and all affected clients were contacted, as well as the relevant authorities. We’re disappointed that this has happened and have ramped up our already considerable investment in cyber security to prevent recurrence.

However, clients of Pepperstone are likely to have serious concerns, especially if they have been notified that their data was accessed. If you have been affected by the Pepperstone data breach, it is important to know exactly what happened, your rights and what you need to do next.

Wondering if you may be entitled to compensation for the Pepperstone data breach? Please get in touch.

What client data was accessed during the breach?

Pepperstone has stated that the following types of client data were potentially exposed in the breach:

  • Names
  • Contact details
  • Dates of birth
  • Personal identification numbers (such as national identity numbers, passport numbers and tax numbers)
  • Security questions and answers

The company has said that its trading systems were not accessed, so trading accounts, passwords and banking information were not compromised.

How did the Pepperstone data breach occur?

The company has said the breach happened via a third-party vendor that has access to its systems. The vendor was targeted by cybercriminals with a malware attack that led to the vendor’s systems being compromised.

The cybercriminals were then able to obtain the vendor’s credentials and used these to access Pepperstone’s client relationship management (CRM) system. Once the cybercriminal had access to the CRM, they were able to extract personal information about a group of Pepperstone’s clients.

How has Pepperstone responded to the breach?

A spokesperson for Pepperstone said:

Pepperstone has conducted a forensic investigation into a malware attack on 22 July, which compromised a computer system used by an external service provider in order to steal their user credentials.

Before the attack could be stopped, criminals were able to obtain some personal information of some of our account holders. We believe that the information was shared with third parties, who made unsolicited contact with Pepperstone account holders.

It’s important to note that no trading accounts, passwords or bank account information have been compromised. Our investigation has confirmed that information is limited to client names, some contact details and some personal details.

We immediately notified the individuals affected, and provided information and recommendations to help ensure their ongoing security.

What to do if you are worried about the Pepperstone data breach

If you are a client of Pepperstone, the company has recommended changing your password and enabling two-factor authentication to protect your account.

You should also be extremely wary about anyone contacting you claiming to be a representative of Pepperstone or a third party. If you are contacted in this way, you should be careful not to transfer funds or carry out any other actions, such as using a remote desktop viewer that could give them access to your Pepperstone account.

There are also various steps you can take to minimise the risk of your data being used by cybercriminals. Take a look at our guide to what to do if your data has been stolen in a data breach to find out more.

It is also worth considering whether you may be entitled to compensation as a result of the breach. This is something the team at Hayes Connor will be happy to discuss with you.

Are you owed compensation for the Pepperstone data breach?

Any company that holds people’s personal data has a legal duty to put in place appropriate data security measures to minimise the risk of data breaches. If a company fails to put in place, or to effectively carry out, such measures and a breach occurs, anyone whose data is exposed as a result potentially has a claim for data breach compensation.

In a case such as the Pepperstone data breach, where the breach was allegedly caused by a breach of a third-party vendor’s systems, you might question whether Pepperstone can be held responsible. The reality is that both the third-party vendor and Pepperstone could potentially be held liable, as Pepperstone have a duty to ensure that their systems are secure against scenarios such as this.

A key point to understand is that you do not need to have suffered a financial loss in order to be entitled to compensation. Having your data exposed can be very stressful and upsetting and you can claim compensation for this emotional distress. Of course, if you have suffered financial losses, these can also be claimed for.

How Hayes Connor can help you claim Pepperstone data breach compensation

At Hayes Connor, we are already helping a number of clients affected by the Pepperstone data breach to explore the possibility of securing compensation. As such, we are already familiar with the case and can help get the ball rolling on your potential claim quickly.

We are one of the largest teams of data breach claims specialists in the country, with decades of combined experience in securing compensation for victims of data breaches. We can advise you on whether you are likely to have grounds for a claim, the level of compensation you may be entitled to and what you need to do to start a claim.

Our goal is to ensure that anyone who is affected by a data breach is able to get the compensation they deserve, while making the claims process as simple and stress-free as possible.

You can find out more about our expertise and how we handle data breach claims here.

To start a claim, you can use our online claim form or, to speak to a member of our team, please do not hesitate to give us a call on 0151 363 5895.

Find out how our experts can help you with your claim

Make a claim