A reminder that no organisation, however large, well-resourced or public-facing, is immune from data breaches.
The Financial Conduct Authority (“FCA”) has admitted to suffering a data breach whereby details of 1,600 individual complainants were accidentally published on its website last year. In its statement, the regulator reassures readers that no financial, payment or passport information were disclosed, however names, addresses and telephone numbers may have been.
Of course, the FCA has notified the incident to the Information Commissioner’s Office (“ICO”), has reportedly undertaken a full review and claims it is making contact with any affected individuals. However, it is concerning that the regulator only noticed the mistake earlier this month – over three months after the confidential data was posted to the website.
The data breach is particularly embarrassing for the regulator which, earlier this month, published a joint statement with the ICO warning insolvency practitioners and authorised firms to be responsible when dealing with personal data. The regulator even issued a £16.4m fine in 2018 for failing to protect customer information! This mistake is likely to add to the mounting criticism facing the regulator - in fact, the complaints disclosed in the breach highlighted the regulator’s lack of communication and level of fees.
This is a timely reminder that organisations of all shapes and sizes are vulnerable to data breaches without any sophisticated cyber criminals being in the picture. Human error mistakes can happen. However, the ICO has recently showed it isn’t afraid to fine organisations with poor security measures so it’s likely the FCA will pay the price reputationally and potentially financially.
For financial services firms regulated by the FCA, this incident should serve as a reminder for them to ensure their own data protection compliance is in order; the FCA’s own data breach may well push the subject higher up both the FCA’s and ICO’s supervisory radar and lead to possible increased questioning of firms in this area.
The UK's City watchdog has admitted that it inadvertently published online the personal data of people who made complaints against it.