UK Financial Watchdog Admits Data Blunder

The UK's Financial Conduct Authority (FCA) has admitted exposing the personal data of its critics online. 

The FCA, whose job it is to regulate the conduct of the approximately 59,000 financial services firms and financial markets in the United Kingdom, said the data breach was accidental and inadvertent. 

Names, addresses, and some telephone numbers of people who had lodged complaints against the authority were shared online under the blunder. In some circumstances, data that the FCA described as "other information" was also made public. 

The financial watchdog has referred itself to UK privacy authorities, presumably with its tail firmly between its legs.

Admitting culpability, a spokesperson for the FCA said: "The publication of this information was a mistake by the FCA." 

The data was exposed in November, when the spreadsheet in which it was contained was published in response to a Freedom of Information request. The response related to the number and nature of new complaints made against the FCA and handled by its complaints team between January 2, 2018, and July 17, 2019.

It wasn't until early February that the FCA cottoned on to its mistake and re-secured the exposed data. According to the BBC, 1,600 names were exposed as a result of the breach. 

In a statement released today, the FCA said that the level of exposure differed for each individual, but "no financial, payment card, passport or other identity information were included" in the data breach.

"In many instances, the extent of the accessible information was only the name of the person making the complaint, with no further confidential details or specific details of their complaint," said an FCA spokesperson.

Embarrassingly, news of the FCA's mistake comes just weeks after the authority published a joint statement with the Information Commissioner's Office (ICO) requesting financial firms to handle personal data responsibly. 

Part of that statement reads: "By passing on personal data, companies may be failing to meet their obligations under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR)."

The FCA said it will be contacting people who were affected the most by the data breach with its apologies and some next steps advice.

What’s Hot on Infosecurity Magazine?