News and resources on cyber and physical threats to banks and fintechs worldwide.
FCA admits data breach

FCA admits data breach

The UK's top regulator has referred itself to the Information Commissioners Office after suffering a data breach that revealed the names and other identifiable information of 1600 individuals who had lodged complaints against it.

The FCA says that it inadvertently published the data in plain view on its Website in response to a Freedom of Information Act request.

The response related to the number and nature of new complaints made against the FCA and handled by the Complaints Team between 2 January 2018 and 17 July 2019.

Of the 1600 names revealed, up to half had addresses and phone numbers appended to their complaint. The FCA says no financial, payment card, passport or other identity information were included.

"The publication of this information was a mistake by the FCA," the agency states. "As soon as we became aware of this, we removed the relevant data from our website. We have undertaken a full review to identify the extent of any information that may have been accessible. Our primary concern is to ensure the protection and safeguarding of individuals who may be identifiable from the data."

The lapse is an embarrassment for the regulatory body, which is charged with investigating data breaches at member firms and dishing out financial penalties for shoddy security practices.

Comments: (3)

Matthew O'Neill
Matthew O'Neill - VMware - Uk 26 February, 2020, 06:15Be the first to give this comment the thumbs up 0 likes

Not sure that I would class this as a data breach as they published the information, so should this be more of a competency question using SMR terminology? 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 26 February, 2020, 14:38Be the first to give this comment the thumbs up 0 likes

LOL maybe the penalty for data breach is lower than that for incompetence!!!

Andrew Smith
Andrew Smith - RTGS & ClearBank - London 28 February, 2020, 11:12Be the first to give this comment the thumbs up 0 likes

It's just yet another example of how handling personal identifiable data is a liability for companies - and really, the FCA shouldnt have needed this sort of data to be stored. 

Maybe the FCA will use this to drive discussions regarding digital identity and an entirely new model of how personal identifiable data is shared? It's needed, more so now than ever before with GDPR, but also Open Banking and the levels of push fraud...