The California Office of the Attorney General disclosed a data breach affecting Funding Circle in March 2018, stemming from an incident on June 1, 2017. Unauthorized third parties gained access to email accounts belonging to one of the company’s data vendors, exposing sensitive customer information. The compromised data included names, addresses, phone numbers, and Social Security numbers (SSNs) highly sensitive personal identifiers that could facilitate identity theft or financial fraud. While the breach originated from a third-party vendor, the responsibility for safeguarding customer data ultimately fell on Funding Circle, given its role as the primary entity entrusted with protecting such information. The exposure of SSNs elevates the severity, as this data is a prime target for cybercriminals and can lead to long-term repercussions for affected individuals, including fraudulent loan applications, tax fraud, or unauthorized account openings. The incident underscores vulnerabilities in supply chain security, where third-party vendors with access to critical systems can become entry points for attackers. No ransomware was involved, but the scale and nature of the leaked data particularly SSNs significantly amplify the breach’s impact on customer trust and regulatory compliance.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-134928
TPRM report: https://www.rankiteo.com/company/funding-circle
"id": "fun729082025",
"linkid": "funding-circle",
"type": "Breach",
"date": "6/2017",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Fintech',
'location': 'California, USA (HQ: London, UK)',
'name': 'Funding Circle',
'type': 'Financial Services (Peer-to-Peer Lending)'},
{'name': 'Unnamed Data Vendor',
'type': 'Third-Party Service Provider'}],
'attack_vector': 'Unauthorized Access to Email Accounts',
'data_breach': {'data_exfiltration': 'Potential (Accessed via Email Accounts)',
'personally_identifiable_information': ['Names',
'Addresses',
'Phone Numbers',
'Social Security '
'Numbers'],
'sensitivity_of_data': 'High (Includes SSNs)',
'type_of_data_compromised': ['PII (Personally Identifiable '
'Information)']},
'date_detected': '2017-06-01',
'date_publicly_disclosed': '2018-03-30',
'description': 'The California Office of the Attorney General reported a data '
'breach involving Funding Circle on March 30, 2018. The breach '
'occurred on June 1, 2017, when unauthorized third parties '
'accessed email accounts of a data vendor, potentially '
'compromising customer names, addresses, phone numbers, and '
'social security numbers.',
'impact': {'data_compromised': ['Customer Names',
'Addresses',
'Phone Numbers',
'Social Security Numbers'],
'identity_theft_risk': 'High (SSNs compromised)',
'systems_affected': ['Email Accounts of a Data Vendor']},
'initial_access_broker': {'entry_point': 'Email Accounts of a Data Vendor',
'high_value_targets': ['Customer PII']},
'post_incident_analysis': {'root_causes': ['Third-Party Vendor Security '
'Weakness (Email Account '
'Compromise)']},
'references': [{'date_accessed': '2018-03-30',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['California Data Breach '
'Notification Law '
'(likely)'],
'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'response': {'communication_strategy': 'Public Disclosure via California AG '
'(2018-03-30)'},
'threat_actor': 'Unauthorized Third Parties',
'title': 'Funding Circle Data Breach via Third-Party Vendor (2017)',
'type': 'Data Breach (Third-Party Vendor Compromise)'}