UK financial regulator rocked by self-inflicted data breach

The FCA accidentally disclosed confidential information of 1,600 people who complained against it

The Financial Conduct Authority (FCA) has admitted that it mistakenly published the personal information of people who had filed complaints against it, including names and contact details, on its website.

The data of approximately 1,600 users who complained about the UK’s financial regulator was published on its own website in November 2019, including their names, the status of the complaint, and the company they represent.

Related Resource

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

In some cases, the contact information of complainants, including their phone numbers and postal addresses, were also disclosed.

“As soon as we became aware of this, we removed the relevant data from our website,” the FCA revealed in a statement. 

“We have undertaken a full review to identify the extent of any information that may have been accessible. Our primary concern is to ensure the protection and safeguarding of individuals who may be identifiable from the data.”

The FCA made this data available in response to a request submitted under the Freedom of Information Act 2000, which asked the organisation to disclose the number and nature of new complaints made against the FCA. The scope of the request spanned 2 January 2018 to 17 July 2019.

The self-inflicted data breach included the names of a handful of high-profile people, according to Telegraph Money, with these individuals’ information publicly available between November 2019 and February 2020.

Although some personal information was disclosed, the FCA insists that no financial, payment card, passport or other identifying information were available to view. The regulator has also referred itself to the Information Commissioner’s Office (ICO).

Should the ICO feel the breach constitutes a violation of data protection laws, the FCA could face a fine of up to €20 million (£16.7 million) or 4% of its annual turnover, under the worst-case scenario.

Where the contact information of people was disclosed, the FCA is undergoing a process of making direct contact with the individuals concerned to apologise. The regulator will also advise them of the extent of the data disclosed, and of their next steps.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021