The Financial Ombudsman Service is a UK statutory body with a specific and high-stakes attack surface: it holds the sensitive personal and financial data of millions of consumers and businesses involved in disputes with banks, insurers, and other financial firms. Since its founding in 2001, it has resolved over 4 million complaints, each one a record containing the kind of information that makes credential stuffing, phishing, and data exfiltration campaigns worthwhile for attackers targeting the financial sector.
The threat model is defined by its role as an impartial, free-to-use service that must maintain absolute trust. Any breach or system compromise wouldn't just be a data loss event - it would undermine the credibility of a key piece of the UK's consumer financial protection infrastructure. Security teams here operate in a context where integrity and availability are as critical as confidentiality; the service's binding legal authority depends on systems that are resilient and decisions that are tamper-proof.
This is an environment where security work is inextricable from public service. The cultural signals - a focus on fairness, impartiality, and accessible justice - translate into an operational mandate to protect a broad and often vulnerable user base without the friction or gatekeeping common in commercial fintech. The technical challenge is defending a high-value target at the intersection of government, law, and finance, with the added constraint that security measures cannot become barriers to access for the consumers the service is built to protect.