FCA data breach could happen to anybody, but easy to avoid
Minor data breach at the Financial Conduct Authority was the result of simple human error, and highlights the need for organisations to consider a wide range of potential threats
The security industry has been picking over a minor data breach at the Financial Conduct Authority (FCA), which occurred after it accidentally published personally identifiable information (PII) on its website in response to a Freedom of Information request last year. The incident has seen the watchdog refer itself to the Information Commissioner’s Office (ICO).
The compromised data relates to 1,600 individuals who made complaints against the FCA between 2 January 2018 and 17 July 2019 including, according to the Telegraph, pro-Brexit campaigner Arron Banks, who has himself been subject to ICO enforcement action in the past due to breaches of privacy law.
“As soon as we became aware of this, we removed the relevant data from our website,” said the FCA in a statement. “We have undertaken a full review to identify the extent of any information that may have been accessible. Our primary concern is to ensure the protection and safeguarding of individuals who may be identifiable from the data.”
In most instances, the extent of the publicly available information was merely the name of the complainant, with no other confidential details, or specific details relating to their complaint. But in other cases, additional confidential information was contained within the description of the complaint. This information is known to have included addresses and phone numbers.
“Where this is the case, we are making direct contact with the individuals concerned to apologise and to advise them of the extent of the data disclosed and what the next steps might be,” said the FCA. “No financial, payment card, passport or other identity information were included.”
Piers Wilson, head of product management at Huntsman Security, said the incident highlighted how easy it is for organisations to essentially create their own vulnerabilities without a cyber criminal coming anywhere near them.
“No matter what an organisation does, or how much experience it has in security and privacy, mistakes can happen,” he said. “These can be when information is intended to be shared but hasn't been sanitised, or when information is stored, transmitted or shared in other ways.”
Francis Gaffney, director of threat intelligence at Mimecast, added: “Mistakes such as this can easily be avoided and have massive repercussions, both financially and from a reputational perspective.
“To prevent these mistakes, IT teams must ensure they understand their environment and know exactly where data is being stored at all times. This will enable them to identify any vulnerabilities easily and fix any issues swiftly.
“It is equally important that organisations are well prepared for incidents such as these. They must have a detailed and well-thought-out plan in place for any cyber incident to ensure any mitigation is as effective as possible.”
Gaffney added: “This plan needs to be tested regularly, carrying out various likely and impactful scenarios to keep the process well-oiled and efficient. By doing this, if an organisation does suffer some sort of incident, it can respond quickly and effectively to minimise the damage.”
Read more about data leaks
- Data leaks caused by misconfigured clouds are being compounded because security teams lack appropriate automation and integration tools, according to a report.
- Sporting goods retailer Decathlon left over 123 million records accidentally exposed on an unsecured ElasticSearch server.
- The higher up within a business you go, the more likely you are to find people intentionally leaking confidential data, says Egress.
Nevertheless, said Toni Vitale, partner and head of data protection at law firm JMW Solicitors, even if the data was exposed through a simple error, there were indicators that the FCA had been negligent in other ways.
“There are overlaps between freedom of information and data protection laws and there are specific exemptions which allow personal data identifying a third party to be excluded from an FoI response,” he said.
“This is often done by manually or electronically ‘redacting’ the parts that identify a third party. This does not appear to have been done here. Although the information was only available briefly, the FCA faces the risk of a fine from the ICO and possibly claims for compensation from anyone affected.”
Alun Baker, CEO at Clario, praised the FCA for at least managing to notify those affected within the enforced 72-hour window. But he added: “This does not make up for the human error that resulted in thousands of personal details being publicly available for three months and calls the FCA’s safeguards into question.
“There needs to be a serious upheaval in the way companies protect their customers’ details and individuals need to take control of their personal security in order to protect themselves. The ICO needs to ensure it is employing strong enough deterrents and should be directing the money collected from fines to helping the consumers affected by data breaches.”
The FCA is more used to finding itself on the other side of data protection stories. Back in 2018, it hauled Tesco Bank over the coals, fining it £16.4m for failing to exercise due skill, care and diligence in protecting customers from a November 2016 cyber attack.
The attack saw 9,000 Tesco Bank customers lose £2.26m in fraudulent transactions that, the FCA said, capitalised on “deficiencies” in the design of Tesco Bank debit cards, its financial crime controls, and its financial crime operations team.