“The publication of this information was a mistake by the FCA.” Says FCA
The Financial Conduct Authority (FCA) just admitted that it accidentally published the personal details of roughly 1,600 people who had made complaints about it in the last year.
The incident occurred when the FCA published – on its website – the details of a Freedom of Information (FOI) request that sought information on the number and nature of complaints that had been made against the agency between January 2018 and July of last year.
In that FOI post the FCA inadvertently included the personal details of the individuals who had made the complaints. Details included addresses, phone numbers and what the FCA is calling ‘other information’. The FCA says that no financial, payment card, passport or other identity information were included in the erroneous post.
In an online statement the FCA has stated that: “As soon as we became aware of this, we removed the relevant data from our website. We have undertaken a full review to identify the extent of any information that may have been accessible. Our primary concern is to ensure the protection and safeguarding of individuals who may be identifiable from the data.”
The FCA says it has already referred the incident to the Information Commissioner’s Office.
FCA Normally on the Other Side of This type of Thing
The FCA is the regulator for financial services firms and the financial markets in the UK. It currently acts as the watchdog for more than 59,000 businesses.
As such it is normally on the opposite of these incidents as it was in 2018, when it hit Tesco with a £16 million fine due to a cyberattack.
In 2018 attackers used an algorithm to generate authentic Tesco bank cards that were then used to complete unauthorised debit card transactions. Following its investigation the FCA noted that: “Although Tesco Bank’s controls stopped almost 80% of the unauthorised transactions, the Cyber Attack affected 8,261 out of 131,000 Tesco Bank personal current accounts.”
Francis Gaffney, director of threat intelligence at Mimecast speaking on the FCA data leak told Computer Business Review in an emailed statement that: “Organisations continue to have an issue with large-scale data breaches and leaks of sensitive information from their databases, so it is vital that security teams regularly assess database security and ensure best practise is being followed. Mistakes such as this one can easily be avoided and have massive repercussions, both financially and from a reputational perspective.”
“To prevent these mistakes, IT teams must ensure they understand their environment and know exactly where data is being stored at all times. This will enable them to identify any vulnerabilities easily and fix any issues swiftly. It is equally important that organisations are well-prepared for incidents such as these. They must have a detailed and well-thought-out plan in place for any cyber incident to ensure any mitigation is as effective as possible. This plan needs to be tested regularly, carrying out various likely and impactful scenarios to keep the process well-oiled and efficient. By doing this, if an organisation does suffer some sort of incident, it can respond quickly and effectively to minimise the damage.”