UK FCA Data Exfiltration Prosecutions Highlight Malicious Insider Threats

This is illustrated in 2025's series of FCA criminal convictions related to a boiler room fraud. These are noteworthy for their data protection and exfiltration aspects. Whilst the FCA's releases (here, here and here) are (as is typical) scant on detail, fraud was apparently perpetrated using customer data stolen from a mobile network operator: A mobile network operator's employee sold confidential customer data to a family friend. The employee was convicted and fined for unlawfully obtaining and disclosing personal data contrary to the Data Protection Act 2018 s.170(1). The family friend was convicted and fined for encouragement and assistance. This data was then likely used in a scam involving cold-calling victims to sell fake crypto investments. At least 65 investors were defrauded and lost over £1.5m. Two individuals were convicted and imprisoned for 12 years total for various relevant offences. Financial services firms face similar risks given their substantial stores of sensitive personal data including contact information, evidence of identity and information about financial behaviours. They also have the "deepest pockets" for the FCA to pursue to provide redress. How to mitigate this risk? The FCA's Financial Crime Guide on data security, whilst concentrating on impersonation, nevertheless contains useful pointers on managing insider risk. So does the FCA's Cyber Coordination Group Insights series (here's the 2024 edition). Some key points to consider: